User certificates with empty principals?

Brian Candler b.candler at
Mon Feb 22 20:33:59 AEDT 2021

On 21/02/2021 22:05, Rory Campbell-Lange wrote:
> Can one not configure vault to never issue certificates without a
> principals list? If not perhaps Hashicorp can be persuaded to add the
> option.

Not as far as I can see, and I don't want to raise a feature request 
without a valid use case.

*Host* certificates may be the driver.  ssh-keygen suggests that a host 
certificate with no principals can masquerade as any host (but I haven't 
tested it yet).

More information about the openssh-unix-dev mailing list