Hrm. Web-PKI. A better idea might involve not putting the responsibility for protecting You from The Browser with.. The Browser. Something in the back of my mind about wolves and hen houses..
I've been looking at github/smallstep to help with ssh. The only problems I've run into are traced to my past laziness (mostly surrounding oidc w oauth workflow (which is baked in if using Google orgs))
The docs are decent enough. The case I'm targeting is to use keycloak as the broker. Smallstep's DIY-OIDC doc was written a few years ago. At some point, since then, the keycloak client schema changed (I'll open a ticket with a working example when I achieve cluefulness).
When I started looking for OSS ssh CA management tools, Smallstep seems to be the only player left on the field, but the devs are responsive and they have a Discord setup for questions and discussion.
I've been looking at github/smallstep to help with ssh. The only problems I've run into are traced to my past laziness (mostly surrounding oidc w oauth workflow (which is baked in if using Google orgs))
The docs are decent enough. The case I'm targeting is to use keycloak as the broker. Smallstep's DIY-OIDC doc was written a few years ago. At some point, since then, the keycloak client schema changed (I'll open a ticket with a working example when I achieve cluefulness).
When I started looking for OSS ssh CA management tools, Smallstep seems to be the only player left on the field, but the devs are responsive and they have a Discord setup for questions and discussion.