Leveraging HashiCorp Vault signing a SSH-key authenticated using Domino OIDC
Daniel Nashed – 15 February 2026 23:23:53
There are a couple of vault provides which can sign SSH keys.
A vault has a couple of responsibilities
- First of all it protects private keys against unauthorized usage
- But a vault also provides mechanisms to authenticate
- It also provide tight control who can issue certificates
The following write up is what I configured for a first lab setup to get familiar with all the components.
- Setup a HashiCorp in a Docker container
- Configure a SSH signer
- Create a Domino OIDC configuration for HashiCorp
- Configure OIDC for authentication using a JWT token -- instead of using a web UI flow
OIDC authentication using Domino OIDC
Notes/Domino 14.5.1 has a new feature in Lotus Script to request a JWT thru the Notes session.
Token = session.getOIDCAccessToken (Server, ClientID, Issuer, Resource, Scopes)
https://help.hcl-software.com/dom_designer/14.5.1/basic/H_GETOIDCACCESSTOKEN_METHOD.html
This token can be turned into a HashiCorp token for the REST API.
And finally request a signature for a publish SSH key.
Those components would be a good base for an enterprise grade application to centrally manage SSH access.
HashiCorp is managed using their "vault" command-line.
Simple flow diagram
Request Traces with details
------------------------------------------------------
Domino JWT
------------------------------------------------------
{
"typ": "Bearer",
"iss": "https://oidc.lab.dnug.eu/auth/protocol/oidc",
"sub": "CN=Admin/O=dnug-lab",
"aud": "oidc-hashicorp",
"iat": 1771109257,
"exp": 1771109557,
"auth_time": 1771109257,
"scope": "sub",
"cn": "CN=Admin/O=dnug-lab",
"jti": "22595ea3-dc2a-d97b-dbd8-cbd72c710ba9",
"client_id": "oidc-hashicorp-dnuglab",
"email": "admin@lab.dnug.eu",
"family_name": "Admin",
"name": "Admin"
}
------------------------------------------------------
Get Vault Token
-----------------------------------------------------
hvs.CAESIIY-CRMIpoXt6pzDi9b1YDt8vkz9eAjSUcTuNetc-62UGh4KHGh2cy5hZ0dVVXltU0NDMHZKNncwMlNWODZuRjY
------------------------------------------------------
Get Capabilities
------------------------------------------------------
{
"capabilities": [
"update"
],
"ssh/sign/linux-admin": [
"update"
],
"request_id": "629d66fd-7480-8be4-a911-e29b58d06cce",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"capabilities": [
"update"
],
"ssh/sign/linux-admin": [
"update"
]
},
"wrap_info": null,
"warnings": null,
"auth": null,
"mount_type": "system"
}
------------------------------------------------------
Sign SSH Key
------------------------------------------------------
------------------------------------------------------
Key Infos
------------------------------------------------------
ssh_linux_admin:
Type: ssh-ed25519-cert-v01@openssh.com user certificate
Public key: ED25519-CERT SHA256:kXHEfj/I3pS7r5LHRH/WyxXrfLw7JbuRlcYh0lzhhYM
Signing CA: ED25519 SHA256:rTUjegEvIpBca1S2HpkexZ/g1COp+UZ544smxSCOsjY (using ssh-ed25519)
Key ID: "vault-jwt-CN=Admin/O=dnug-lab-9171c47e3fc8de94bbaf92c7447fd6cb15eb7cbc3b25bb9195c621d25ce18583"
Serial: 3182202866998231282
Valid: from 2026-02-14T23:48:38 to 2026-02-15T00:04:08
Principals:
linux-admin
Critical Options: (none)
Extensions: (none)
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}