-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Can't authenticate with x5c provisioner to step ca admin #860
Comments
Same happens with |
cc @dopey A workaround might be to create a certificate using that provisioner and then use it with |
As @maraino mentioned, you can always just generate the certificate and key yourself - making sure to use the x5c provisioner and the exact subject name @miguelangel-nubla Can you tell us more about the use case, please? I'm struggling to come up with a reason for using an x5c provisioner to then provision an admin credential. If the goal is to authenticate to the admin API using an "identity" certificate (let's say one issued to a user or something like that), then using If we find that using the |
The use case is using hardware signing (yubikey or pkcs11) for as much as possible, as to not have the chance of a private key or passphrase leaking. The ability to use a It just works already with ssh certificates:
which I think is awesome. Would love to see support for it everywhere, other more useful examples that come to mind are |
No, we want to support kms everywhere, but we need to dedicate time to do it, and we've only done it in the most commonly used commands. Some time ago I created this script that you should be able to use with a YubiKey too. Adding kms support for all the admin commands might be a bit hard, but adding it to |
Ah, ok, that makes sense. If the cert/key are in a yubikey, then the admin middleware won't be able to correctly generate the necessary token. We've created two new enhancements alongside this bug report -
Thanks for bringing the issue to our attention @miguelangel-nubla, and for explaining the use case. |
Great, the token approach seems a good workaround until kms support is everywhere.
will definitely try that, thanks.
Thanks for making this open-source. |
@miguelangel-nubla there's no need for the script, in |
Steps to Reproduce
Your Environment
step
CLI Version - 0.23.2Expected Behavior
Authenticate using X5C credentials, as you can even create a Super Admin with that provisioner:
Actual Behavior
throws:
provisioner type 'X5C' requires the '--x5c-cert' flag
Additional Context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: