Bootstrapping SSH public keys

[tashian]

Discussed in #2253

^{Originally posted by Skyb0rg007 April 28, 2025}
step-ca provides a method to access the root certificate of the x509 PKI: curl https://ca.example.com/root/{fingerprint}.
This doesn't exist for SSH however, the most similar being the /ssh/roots endpoint.
This endpoint doesn't return the SSH public keys in a usable format for sshd_config usage, since it does not include the algorithm names, which is difficult to extract from the base64 strings from a shell script.

1. Is there a simple way to convert the base64-encoded SSH public keys from https://ca.example.com/ssh/roots into the standard OpenSSH format?
2. Is there an option in step to download a public SSH key?

I know ecdsa keys aren't too long, but it's more convenient to distribute the sha256 fingerprint and an endpoint.

[hslatman]

step ssh config --roots exists. step ssh roots might be better. step ssh ca is another option.

[tashian]

@Skyb0rg007

[Skyb0rg007]

Thanks, this issue is resolved. Using step ssh config --roots for servers to trust users and step ssh config --host --roots for clients to trust servers.