This user certificate is (or, at least, I really hope is) issued by the user CA, which is the signer that signs all the user certs that are given out to users, but above we configured opensshd to trust the openssh CA, which signs certificates that are only ever in possession of the proxy - a regular user won't be able to obtain such a certificate.

Interesting. From what I can see, it looks like the CA that's exported with the proxy via the https://proxy.example.com/webapi/auth/export?type=openssh endpoint, is of type "user" instead of OpenSSH according to the extension appended at the end:
e.g.:

cert-authority ssh-rsa <my_ca> clustername=alen.teleport.sh&type=user

I can confirm that passing type=user instead during the export produces a different CA, but if the former is not expected to work with user certs generated via tctl auth sign ... --format openssh, there may be another problem altogether as I can get it to work reliably right now (unless again I'm turned around on this and misunderstanding, which very likely could be the case)

Might just be me, but 2) makes it sound like you can do this procedure after the node goes offline, which you can't AFAIK. Maybe a slight change?

Clarify which CA

❗

We're not configuring the openssh CA, we're specifically trusting the user CA in a way that hopefully doesn't break the security model of Teleport SSH. Users are never in possession of a usable certificate from the openssh CA.

I don't really like us recommending vault here, but it's nice that we have a recommendation. I can't think how we'd improve it.

I wonder whether this ought to be bigger/bolder? Old habits die hard, and anyone doing this as a one-off might just export one key/cert and think "right, we're done here" - then they're locked out when they come to need it.

Maybe use <Admonition type="important"> instead, it's more striking on the page