Expand description
Bootstrap enrollment + cert renewal. Both flows sign the CSR with the host’s SSH ed25519 key (RFC-0003 §2); the agent never generates keys.
Modules§
- pem 🔒
Functions§
- cert_
remaining_ fraction - Returns
(remaining_fraction, not_after);< 0.5means time to renew. - enroll
- fingerprint_
pubkey_ raw - base64 SHA-256 of raw pubkey bytes; matches CP’s
expected_pubkey_fingerprintfield on the bootstrap token. - generate_
csr_ from_ ssh_ host_ key - Builds a CSR signed by the SSH host key; returns
(PEM CSR, raw 32-byte pubkey). CP rejects if the pubkey doesn’t matchhosts.<hostname>.pubkey. FOOTGUN: SSH key is OpenSSH PEM; rcgen wants PKCS#8 - we rewrap via the proto helper before handing toKeyPair::from_pem. - renew
- write_
atomic 🔒 - Tempfile + rename so a crash mid-write doesn’t leave a half-written cert.