# ansible-role-ssh-ca

Ansible role to deploy a basic SSH certificate authority.

It is implemented as a simple wrapper above ssh-keygen, which is deployed on a server.
It supports issuing host certificates as well as user certificates.

## Limitations

I currently only use this in my home lab, and it should not be used in more critical environments.
Notable, it has the following limitations:

- No expiration date and no mechanism to issue new certificates
- No mechanism to revoke certificates
- No mechanism to roll over CA key pair

## Usage

The following variables must be set before calling the role:

- `ssh_ca_dir`: Working directory for the certificate authority
- `ssh_ca_key_pairs`: List of CA key pairs
  - `name`: File name of the CA key pair
  - `public_key`: Public key contents on the key pair
  - `private_key`: Private key contents on the key pair