Is it possible to sign Teleport's "User CA" from our Enterprise PKI?

[uedvt359]

AFAIU, Teleport issues short-lived certificates from its own internal CA, which is self-signed. We would like to integrate this CA into our existing PKI. Is it possible to sign TeleportUserCA with our SubCorpCa, like in the diagram below?

• CorpRootCa -> SubCorpCa -> TeleportUserCA -> (end entities)

I've found the docs to regenerate the CA, but not where it is stored.

[webvictim]

This is not currently a supported option.

[unreality]

@uedvt359 If you want to proceed with an unsupported setup, you could try export the user-ca with tctl get all --with-secrets > state.yaml then edit the user-ca entries. The certs and keys are base64-encoded PEM.

Reimport the state (https://goteleport.com/docs/management/operations/backup-restore/#example-of-backing-up-and-restoring-a-cluster) and Teleport will try to use the new CA. I believe the Common Name of the CA that teleport uses has to match the cluster_name otherwise you get errors. I had some success using my own CA but didnt manage to test everything.