-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
step ca init
using csr
#717
Comments
As I responded here, I prefer to add a Regarding |
For this part, the first half of the problem is getting the necessary csr from Creating the csr would be useful if the user does not have direct access to the root certificate keys and the root might not use the same engine. Like in my school/lab example, no lab has access to the school's root, but they can send csr to it to be signed at some point.
I am confused. Why does the CA need the root key? The current usage of |
For your school/lab example, a way to pass to
I understand that you wanted a command that will do an HTTP request to the CA to renew the intermediate. We can consider creating an endpoint that creates a CSR for the intermediate, but in that case, it won't renew the key, it gets way more complicated if you want to do that. Pushing the signed intermediate might be more complicated, as it will require overwriting files, where permissions might be a problem, and that is without considering the authentication or a change in a configmap in k8s. I think for this, it makes more sense to use some mechanism to replace the file/configmap itself and HUP the server to reload the configuration. |
There's a misunderstanding here. The flag would be in Indeed we can simply copy the intermediate certificate, but it would be nice to have pre-checks, like is the intermediate signed by the root we want, is the time valid, etc.
👍 Just for clarity that would mean creating |
Yes, there was a misunderstanding. And now the
Yes, but I meant to use some script outside of the scope of |
Hello!
Issue details
Similar to the current method of using
--root
and--key
flags, it would be useful to have another option of--csr
instead so that the certificate can be signed offline later. To make this work seamlessly, we would also need astep ca renew-ca
(hopefully a better name) that simply copies/rekeys/request a new csr according to the current--ca-config
if simple tests pass like if the certificate is valid, if it is signed by the root, etc.Why is this needed?
As far I understand this would be equivalent with the current RA options, but more geared towards an offline root CA structure.
The latter part is useful regardless of the first part, but overall this can be useful for automated deployments like ansible where it would be best not to put all your eggs in a single basket, or if you want to manage multiple CAs, e.g. root CA belongs to a school and intermediates are managed by individual labs.
The text was updated successfully, but these errors were encountered: