In my GCP account, I have distributed an instance of Smallstep ACME Registration Authority for CAS to test the product. The sensations are very good; the deploy has been very fast and easy. Congratulations on the product. One question, can an ACME smallstep server only issue final certificates from a subCA generated in Google CAS? In other words, is the caCAS value unique? Can't it have several values? I mention this because if an enterprise's PKI infrastructure is generated in Google, it is very likely that it is made up of several SubCA's ( my on-premise PKI is made up of four SubCA's, for example, for compliance needs among others... ) Thank you.
step ca tokento work out the sort of token you'd want your server to generate.
step ca certificateusing
--tokento request a certificate from the CA using a token)
step-cabe an intermediate in that sort of setup.
error validating ACME Challenge at https://tinyca.lan/acme/acme/challenge/Rrk1iKFeEjDRkFu0w025Ogty17RsL2R0: client GET https://tinyca.lan/acme/acme/new-order failed: Post "https://tinyca.lan/acme/acme/challenge/Rrk1iKFeEjDRkFu0w025Ogty17RsL2R0": stream error: stream ID 17; INTERNAL_ERROR
ufwto allow only port 443 and also set my network's firewall rules accordingly, it should be secure enough... Ideally I'd like to be able to generate SSH certificates from anywhere (whether I'm at home, which is 90% of the time these days, or out) to connect to my hosts. I've tried using Cloudflare, but testing with the
step ca certificatecommand yielded
x509: certificate signed by unknown authorityerrors. I guess I could also setup VPN to my home network (where the CA is hosted) and connect via VPN for SSH cert generation once per day if I'm not home, too...
ssh -T email@example.com. I've been extracting the currently active step SSH public key like this
step ssh list --raw | step crypto key format --sshon my local machine, with output looking something like this
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXN..., then adding it to my github account. However, that didn't seem to work and I keep getting
Permission denied (publickey).errors when testing SSH. I've also tried uploading the output of
step ssh list --raw, but their web UI didn't like that, even after changing the