SSH CA exposed publicly

[ailiev-ipq]

I just deployed Step CA in our infrastructure, with the main use case (for the time being) of issuing SSH user certificates.

Reading the exposing to the internet section of the Production Consideration document, it isn't obvious that the /provisioners endpoint is required for signing SSH user certificates.

It is explicitly mentioned as an endpoint that might expose sensitive data to the world, so presumably it is a good practice to hide it behind a reverse proxy, and this is exactly what I did, but it looks like the endpoint is needed for the step ssh certificate command to function.

Can you please advise if what I am trying to achieve is doable - i.e., running Step CA publicly exposed without exposing our provisioners' configuration to the world?

Thank you!

[ailiev-ipq]

I played around some more with the Step CLI. What I found out is that, if the OIDC client details (provider configuration endpoint, client ID, client secret) are distributed out of band, one can execute step oauth --oidc --bare with the proper arguments and pass the issued token through the --token option to the step ssh certificate command. Effectively the /provisioners endpoint does not need to be exposed in this case.

So, is this how this is meant to be used in cases where the CA is exposed publicly?