Problem
The gateway's SSH host identity is generated in memory at startup, so it changes on every restart and clients receive host-key mismatch warnings. Two sources:
- It falls back to presenting a raw ephemeral host key.
- By default it signs the host certificate with an auto-generated CA that is also created in memory.
Desired behavior
The gateway presents a stable SSH host identity across restarts, anchored to a persistent CA:
- Present only the CA-signed host certificate; drop the raw host-key fallback.
- Require an explicitly provisioned CA (manual or Vault); remove the auto-generated CA.
Problem
The gateway's SSH host identity is generated in memory at startup, so it changes on every restart and clients receive host-key mismatch warnings. Two sources:
Desired behavior
The gateway presents a stable SSH host identity across restarts, anchored to a persistent CA: