Using own HostCertificate & HostKey with Teleport

I use Vault to issue host certificates.

To use Teleport with OpenSSH I must disable host keys checking:

# snippet from /etc/teleport.yaml
  proxy_checks_host_keys: no

Is this a good solution? Is it possible to integrate my keys into the Teleport?


There’s currently no (easy) way to import a host CA from outside of Teleport.

Assuming that you could do the reverse (import Teleport’s host CA into Vault, rather than importing Vault’s host CA into Teleport) then one option might be to get the host CA from Teleport: tctl get --with-secrets cas

There are two CAs - one type: user and one type: host. They’re base64 encoded - you might be able to extract the data and feed it into Vault so that it can issue certs which will validate against Teleport’s host CA.

1 Like