Mariano Cano

@unreality @LecrisUT I think I will have time this week to look into this PR. But there's one thing to consider: we don't see this as the final implementation, and...

Nebula certificates use their own format, using ACME for it it would be weird because there are no ACME clients that will support it.

> If they implement their own acme like client, would it be possible to connect it to step's CA and inherit its features? I guess so, if we add support...

@tashian Is there anything that we can do here? Should we close this?

There are plans, yes, but we haven't prioritized them. @jdoss, do you have any update on this? @LecrisUT might help.

@Messj1 It might be a good idea to do this. The best way right now to achieve this would be to configure a template that always fails, for example, something...

Your trick with the X5C can work, but I wouldn't rely on it, we might add a check to make sure you add a CA certificate in the future. By...

@kims We will add a prompt the first time this is required, probably at the start of the server, in the same way, the password for the intermediate key works....

Hi @LecrisUT this is part of our paid solution. As you mention one of the options to solve this is using the `AuthorizedPrincipalsCommand`. You can use ssh certificate templates to...

@LecrisUT you might want to use extensions because the sshd implementation might refuse to authenticate a cert with an unknown critical option. Right now only 2 critical options are defined...