Added doc.txt.

diff --git a/doc.txt b/doc.txt
new file mode 100644 (file)
index 0000000..32191f1
--- /dev/null
+++ b/doc.txt
@@ -0,0 +1,43 @@
+user CA generation:
+  ssh-keygen -t ed25519 -C user-CA -f user-CA
+
+user CA setup (as root on ssh servers):
+  copy user-CA.pub to /etc/ssh
+  echo "TrustedUserCAKeys /etc/ssh/user-CA.pub" >/etc/ssh/sshd_config.d/99-user-CA.conf
+
+user key generation:
+  ssh-keygen -t ed25519 -C <key comment> -f <key file>
+  where
+    key comment and file: username the key belongs to
+
+user key signing:
+  ssh-keygen -I <certificate identity> \
+             -n <principals> \
+             -s <user CA private key file> \
+             -V <start YYYYMMDD[HHMM]:end YYYMMMDDD[HHMM]> \
+             [-z <serial number>] \
+             <public key file>
+  where
+    certificate identity: username the key belongs to
+    principals: comma (and no space) separated target users
+
+user key passphrase change:
+  ssh-keygen -p -f <user private key file>
+
+----------------
+
+host CA generation:
+  ssh-keygen -t ed25519 -C host-CA -f host-CA
+
+host CA setup (as root on ssh clients):
+  echo "@cert-authority *.usr.user.hu <contents of host-CA.pub>" >/etc/ssh/ssh_known_hosts
+
+host key signing (as root on ssh servers):
+  ssh-keygen -h \
+             -I <fqdn> \
+             -n <fqdn> \
+             -s <host CA private key file> \
+             /etc/ssh/ssh_host_ed25519_key.pub
+
+host certificate setup (as root on ssh servers):
+  echo "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" >/etc/ssh/sshd_config.d/99-host-cert.conf