What does HackerNews think of keywhiz?

HashiCorp Vault - is big in Secrets management but its not the Terraform of Secrets management it's just too easy to make another product.

AWS Secrets Manager

AWS Systems Manager Parameter Store

AWS KMS

Google Cloud KMS - Cloud Key Management System

Azure Key Vault

confidant - https://lyft.github.io/confidant

keywhiz - https://github.com/square/keywhiz

knox - https://github.com/pinterest/knox

strongboxsafe - https://strongboxsafe.com

conjur - https://www.conjur.org

+ many more

Ansible Vault - probably not competing directly

I am pretty sure companies like netflix, facebook, uber, tesla and others are probably using their own in house creations.

Checkout https://github.com/square/keywhiz, it's built specifically for this purpose.

This doesn't deal with user keys at all -- we use Kerberos for users to log in. This is just an SSH CA for server certificates. We could extend it to users, if we had a way to identify them.

We have an existing x509 trust infrastructure, where keys are distributed with Keywhiz (https://github.com/square/keywhiz). That's why we started with having hosts identify themselves with x509 client certs. We will deploy sharkey-client to all hosts, and it's automatically issued an x509 client cert.

The primary purpose of this service is to allow us to move to short-lived SSH Host certificates. Instead of issuing a single permanent certificate at host imaging time, we have a client running on every server that's fetching fresh host certificates all the time.

When you say "simply automating the signing of ssh server certs", what differences do you mean from this? Because that's what this is -- automating the signing of ssh server certs.

Your last sentence is pretty much spot on: We use x509 everywhere, but want to use stock SSH. We also didn't use our existing secrets distribution because we wanted to decouple SSH from the rest of our infrastructure