# Janus

Janus is the god of doorways and passages.

## Setup

### Step-CA [Getting Started]

[Getting Started]: https://smallstep.com/docs/step-ca/getting-started/

```
step ca init --ssh --acme
```

### [Running `step-ca` as a Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon)

### [Renewal using `systemd` timers](https://smallstep.com/docs/step-ca/renewal/#renewal-using-systemd-timers)

## SSH Certificates

### Server

Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.

```
step ssh certificate --host --sign \
--principal janus --principal janus.john-stream.com \
--provisioner admin \
janus /etc/ssh/ssh_host_ed25519_key.pub
```

Get the (public) cert for the CA that signs the user SSH certs from step-ca.

```
step ssh config --roots > /etc/ssh/ssh_user_ca.pub
```

Configure sshd to point to the key/cert combo.

```
cat << EOF > /etc/ssh/sshd_config.d/certs.conf
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
EOF
```

```
systemctl reload sshd
```

### Client

```
step ssh certificate --sign \
--principal root --principal john \
--provisioner admin \
john@john-pc-ubuntu ~/.ssh/id_ed25519.pub
```