From 22e75002e6f1ac33668b559cb7241b2004c10353 Mon Sep 17 00:00:00 2001
From: x032205 <x032205@gmail.com>
Date: Fri, 19 Dec 2025 14:48:11 -0500
Subject: [PATCH] endpoint just to get ca pub key

---
 .../routes/v1/pam-resource-routers/index.ts   |  7 ++++-
 .../pam-resource-endpoints.ts                 | 26 +++++++++++++++++++
 .../pam/getting-started/resources/ssh.mdx     |  7 +++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/backend/src/ee/routes/v1/pam-resource-routers/index.ts b/backend/src/ee/routes/v1/pam-resource-routers/index.ts
index b533dfb4c1..ad40cdbc2f 100644
--- a/backend/src/ee/routes/v1/pam-resource-routers/index.ts
+++ b/backend/src/ee/routes/v1/pam-resource-routers/index.ts
@@ -25,7 +25,11 @@ import {
   UpdateSSHResourceSchema
 } from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas";
 
-import { registerPamResourceEndpoints, registerSshCaSetupEndpoint } from "./pam-resource-endpoints";
+import {
+  registerPamResourceEndpoints,
+  registerSshCaPublicKeyEndpoint,
+  registerSshCaSetupEndpoint
+} from "./pam-resource-endpoints";
 
 export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: FastifyZodProvider) => Promise<void>> = {
   [PamResource.Postgres]: async (server: FastifyZodProvider) => {
@@ -54,6 +58,7 @@ export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: Fast
       createResourceSchema: CreateSSHResourceSchema,
       updateResourceSchema: UpdateSSHResourceSchema
     });
+    registerSshCaPublicKeyEndpoint(server);
     registerSshCaSetupEndpoint(server);
   },
   [PamResource.Kubernetes]: async (server: FastifyZodProvider) => {
diff --git a/backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts b/backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
index 5a592a9599..10911e1e34 100644
--- a/backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
+++ b/backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
@@ -199,6 +199,32 @@ export const registerPamResourceEndpoints = <T extends TPamResource>({
   });
 };
 
+export const registerSshCaPublicKeyEndpoint = (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:resourceId/ssh-ca-public-key",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get the SSH CA public key for the PAM resource",
+      params: z.object({
+        resourceId: z.string().uuid()
+      }),
+      response: {
+        200: z.string()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req, reply) => {
+      const { caPublicKey } = await server.services.pamResource.getOrCreateSshCa(req.params.resourceId, req.permission);
+
+      void reply.header("Content-Type", "text/plain; charset=utf-8");
+      return caPublicKey;
+    }
+  });
+};
+
 export const registerSshCaSetupEndpoint = (server: FastifyZodProvider) => {
   server.route({
     method: "GET",
diff --git a/docs/documentation/platform/pam/getting-started/resources/ssh.mdx b/docs/documentation/platform/pam/getting-started/resources/ssh.mdx
index f75cb8b13e..6e31f322fb 100644
--- a/docs/documentation/platform/pam/getting-started/resources/ssh.mdx
+++ b/docs/documentation/platform/pam/getting-started/resources/ssh.mdx
@@ -200,7 +200,14 @@ Certificate authentication requires additional setup on your SSH server to trust
 
     <Warning>
       **Manual setup**: If you prefer to configure the server manually, you can download just the CA public key and configure sshd yourself:
+
+      ```bash
+      curl -H "Authorization: Bearer <YOUR_TOKEN>" \
+        "https://app.infisical.com/api/v1/pam/resources/ssh/<RESOURCE_ID>/ssh-ca-public-key" \
+        | sudo tee /etc/ssh/infisical_ca.pub
+      ```
       
+      Then configure sshd:
       1. Add to `/etc/ssh/sshd_config`:
          ```
          TrustedUserCAKeys /etc/ssh/infisical_ca.pub