Correctly validate JWT CA on bootstrap (#8128)

Presently, teleport start --bootstrap state.yaml fails due to incorrect
handling of JWT CAs, even when the data is generated using
tctl get all --with-secrets.

Backport of #8119.

lib/auth/init.go

@@ -44,8 +44,8 @@ import (
 	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
-
 	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
 )
@@ -127,7 +127,6 @@ type InitConfig struct {
 
 	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
 	// environments where paranoid security is not needed
-	//StaticTokens []services.ProvisionToken
 	StaticTokens types.StaticTokens
 
 	// AuthPreference defines the authentication type (local, oidc) and second
@@ -822,16 +821,26 @@ func checkResourceConsistency(clusterName string, resources ...types.Resource) e
 			// check that signing CAs have expected cluster name and that
 			// all CAs for this cluster do having signing keys.
 			seemsLocal := r.GetClusterName() == clusterName
+
 			var hasKeys bool
-			_, err := sshSigner(r)
+			var signerErr error
+			switch r.GetType() {
+			case types.HostCA, types.UserCA:
+				_, signerErr = sshSigner(r)
+			case types.JWTSigner:
+				_, signerErr = services.GetJWTSigner(r, clockwork.NewRealClock())
+			default:
+				return trace.BadParameter("unexpected cert_authority type %s for cluster %v", r.GetType(), clusterName)
+			}
 			switch {
-			case err == nil:
+			case signerErr == nil:
 				hasKeys = true
-			case trace.IsNotFound(err):
+			case trace.IsNotFound(signerErr):
 				hasKeys = false
 			default:
-				return trace.Wrap(err)
+				return trace.Wrap(signerErr)
 			}
+
 			if seemsLocal && !hasKeys {
 				return trace.BadParameter("ca for local cluster %q missing signing keys", clusterName)
 			}