An extremely simplistic CA for managing ssh host keys. Do you have a large number of admins who log into a large number of machines? Are you sick of seeing:

The authenticity of host 'example.org (192.0.2.1)' can't be established.
ECDSA key fingerprint is 49:20:68:61:74:65:20:74:68:69:73:20:6d:73:67:0a
Are you sure you want to continue connecting (yes/no)?

Or, even worse, someone has reinstalled one of your machines and you get the dreaded:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
49:20:68:61:74:65:20:74:68:69:73:20:74:6f:6f:0a
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/user/.ssh/known_hosts:1
RSA host key for 192.0.2.1 has changed and you have requested strict checking.
Host key verification failed.

There must be a better way. And that's where hostca comes in. By signing your ssh host keys with a CA, your client can automatically validate them without ever having logged into the machine before.

Run create-hostca as root on the machine you trust to become the CA. It will create a /etc/ssh/hostca key, and will create a "hostca" unix group, and suggest you add yourself to it. Easy. create-hostca is a very simple shellscript if you want to audit it. You probably want to back up the ca key file.

On a machine that has host keys that you want to sign, run enroll-host ca-host. This will copy the keys to ca-host, sign them, copy the certificates back, and update the sshd_config to use them. It will also create a ssh_known_hosts file that refers to the CA's public key so that logins from this machine will use the CA.

If you have a machine that doesn't run an ssh server, but needs to be able to verify host keys (eg a laptop or desktop), you can use enroll-client to add the required CA public keys. enroll-client takes one parameter, the name of a machine you can login to to fetch the CA's public key from.

enroll-client is all well and good if you're an administrator on a machine, but if you don't have access to sudo, and you want to validate other machines you can use enroll-user, which will update ~/.ssh/known_hosts with the CA public key for you. Once again, enroll-user takes the hostname of an existing machine that has the CA installed on it.