From 925f314af57cbe016b34cd113f649992cf781918 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Tue, 3 Nov 2020 15:04:51 -0800
Subject: [PATCH] basessh: see if we can generate a sha256 cert

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/basessh/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml
index e3c530f9f4..e87fdcae28 100644
--- a/roles/basessh/tasks/main.yml
+++ b/roles/basessh/tasks/main.yml
@@ -199,7 +199,7 @@
 
 # Currently, we use the epoch as serial. That's unique enough for now
 - name: Sign the certificates
-  shell: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z `date +%s` {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
+  shell: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -t rsa-sha2-256 -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z `date +%s` {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
   delegate_to: localhost
   with_items: "{{certs_to_sign}}"
   check_mode: no