SSH.COM PrivX Documentation Hub

Welcome to the SSH.COM PrivX documentation! Here you'll find the PrivX administration manual, use case specific guides as well as API specifications.

Documentation    API Reference

Onboarding SSH target hosts to PrivX via Chef

Chef Deployment

This cookbook configures a node to trust PrivX issued OpenSSH user certificates. Please see also


Required attributes under node['privx']:

'api_endpoint': https:// prefixed hostname for PrivX.
'api_ca_cert': Trust anchor for PrivX's TLS certificate.
'roles': JSON array of objects which have key 'principal' (str) and 'roles' (array).

  "api_endpoint": "",
  "api_ca_cert": "-----BEGIN CERTIFICATE-----
  -----END CERTIFICATE-----",
  "principals": [
      "principal": "root",
      "roles": [{"name": "root-everywhere"}, {"name": "dev-admin"}]


PrivX cookbook expects to find vault with name privx and an databag with name privx which has following fields:

'oauth_client_secret': This value is get from PrivX command line using the command: sudo /opt/privx/bin/keyvault-tool -name privx_auth_client_secret_privx-external get-passphrase
'api_client_id': Name of the API user
'api_client_secret': Password for the API user

knife vault create privx privx '{"oauth_client_secret": "ZGdoZGZ0aGRmZ2hkZ2hibmN2", "api_client_id": "deploy-script", "api_client_secret": "0000000000000"}' --mode client

This vault needs to be exposed to the node at bootstrap with --bootstrap-vault-item 'privx:privx'


knife bootstrap\
    --ssh-user ec2-user \
    --sudo \
    --identity-file ~/.ssh/aws \
    --node-name node1 \
    --environment development \
    --run-list 'role[system]' \
    --bootstrap-vault-item 'privx:privx'

With Openstack nodes --hint openstack is probably required.

Updated 5 months ago

Onboarding SSH target hosts to PrivX via Chef

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.