By default, all SSH certificates use ECDSA as their key algorithm. If you desire a different key algorithm, there's a couple steps you can follow to achieve this goal.
- Contact Smallstep support, and ask them to replace your existing SSH signing keys with an algorithm of your choosing.
- From the user/host side, generate an SSH key using ssh-keygen with the algorithm of your choosing.
- Use the `step` CLI to sign the local key you've generated and issue a corresponding SSH certificate.
To sign an RSA user SSH certificate with the CA, run:
ssh-keygen -t rsa -b 3072 -f alice step ssh certificate --sign alice alice.pub # optionally: ssh-add alice alice-cert.pub
To sign an RSA host SSH certificate with the CA, run:
ssh-keygen -t rsa -b 3072 -f example_host step ssh certificate --sign --host example_host.com example_host.pub