Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Ryan Holt
    @carpenike
    @wid -- appreicate it. I was going down the ssl-passthrough path and it doesn't appear to be working. Will need to put in a PR to get the helm chart's service definition a bit more robust.
    Mariano Cano
    @maraino

    Hello everyone, is there a way to list all issued certificates on the CA ?

    @wid There's a way, creating a program that reads the db, I know @dopey has some code that does that, but I cannot find it, and he is on holidays. Perhaps he shared here with somebody, but I'm not sure.

    Romain Griffiths
    @wid
    @carpenike I could not make it run neither, it looks like the ingress-chart chart does not support support it nor give extra parameters to the binary
    @maraino thank you but I can't find the repo here https://github.com/dopey?tab=repositories
    it would be nice to be able to list them from the CLI
    Mariano Cano
    @maraino
    @carpenike step-ca requires its own certificate, some features depends on it. If you're using a load balancer you must passthrough tls
    Max
    @dopey
    @wid here is an example db reader I put together a while back — https://github.com/smallstep/analyze-step-ca-db/blob/master/badger-example.go
    Our goal is to have something available through the API, but I can’t make any promises as to when that will be delivered.
    If you’re using badgerdb (the default) then you’ll need to stop the CA while you run that script. Only one process and read/write badger at a time.
    Max
    @dopey
    If you’re using mysql then you’ll need to make some changes to that script but it shouldn’t be too bad. Let me know if you need a helping hand.
    sbingram
    @sbingram
    So when you first initialize the step client on your computer, it sets up the .step directory including the certs and configuration. I can't seem to find out how to get the ssh information copied as well. Specifically the include line in the ssh config and the config for step ssh along with the known_hosts file with the step CA inside. I see template files and have adjusted them on the step server, but to no avail. Nothing ever seems to be imported. I also see that you might have to include in the ca.json file that you want to import them, but have tried a few places without any change. I've checked the docs, but can't seem to find anything other than for certs. Did I miss some documentation somewhere or is this just not possible yet?
    Max
    @dopey
    Hey @sbingram you’re asking about how to get the ssh configuration loaded onto your client (from the server) - is that right?
    Once you’ve update the ca.json on the server, you should just need to SIGHUP or restart the CA, then run step ssh config on your client.
    That’s assuming you’ve already bootstrapped your client with step ca bootstrap.
    sbingram
    @sbingram
    Yes, thanks! Sorry, I should have figured this out on my own, but I just got lost in the new documentation on the website. This works perfectly though and saves me from having to explain how to modify configuration files on different computers!
    Max
    @dopey
    awesome - glad to hear it!
    If you have any suggestions with regards to the docs, we’re very open to ideas. I’m in the process of open sourcing the website docs so that people can submit issues / PRs. (The docs in the github repos are stale)
    sbingram
    @sbingram
    I'm actually trying to craft up some docs of my own from the perspective of someone that knows much less about SmallStep. I've been working on this off an on for quite some time integrating it with AWS Cognito/SAML and AWS Directory Service (hosted AD) which has been really challenging. I've read every howto in your Blog and scoured the docs, but it sometimes does feel like a moving target. I believe I have everything working, but need to go back and make sure I haven't missed something along the way. Maybe I can post a link soon and ask for comments? I certainly want to make sure I'm on the right track before making suggestions.
    Max
    @dopey
    We would love that!
    And we would definitely link to your docs from our blog if that’s something you were interested in. We’re in need of examples / tutorials of real life set-ups.
    masoudbahar
    @masoudbahar
    Hello folks, I appreciate it if you clarify the expected output of "step ca roots..." command. Given a root CA and an intermediate CA, I expected to see both public keys returned, but it only returns the root CA's public key!
    Am I doing it wrong, or it is as expected? If that's the expected behaviour, then, how a certificate issued by the intermediate CA is expected to be validated by just the public key of the root CA returned by that command?
    Thanks for your help and insight.
    Max
    @dopey
    Hey @masoudbahar, great question. When you sign a certificate using the CA the certificate that gets written to disk has both the leaf and intermediate certificates.
    You can see this when you run cat foo.crt or step certificate inspect —bundle foo.crt
    foo.crt being the cert you created using step-ca.
    masoudbahar
    @masoudbahar
    Thank you @dopey; here's my scenario:
    When bootstrapping a new server, I want to add the CA certificate chain to the system truststore; this operation requires both root and intermediate CAs public keys.
    I thought if I use the "step ca roots", it'll give me both and then I can invoke ca-certificates to take care of the rest.
    Can I instead use "step certificate install" to do that? Will it install both public keys?
    SahanaJC
    @SahanaJC

    Hi All
    We have a use case where we revoke certificate using step ca and create, renew certificate using dehydrated
    It is seen that certificate is successfully being revoked yet, renew of the same certificate is also happening, which must not ideally according to https://smallstep.com/docs/step-cli/reference/ca/revoke#description
    Please help us resolve this issue, Thanks in Advance!
    Here is the detailed command output:

    [root@gl-seednode-jc dehydrated]# ./dehydrated --domain 'gl-seednode-jc.glhc-hpe.local' --cron --force

    INFO: Using main config file /home/glcgadmin/vmaas-ansible-repo/dehydrated/config

    hook.py: Unknown hook handler
    hook.py: startup_hook
    Processing gl-seednode-jc.glhc-hpe.local

    • Creating new directory /home/glcgadmin/vmaas-ansible-repo/dehydrated/certs/gl-seednode-jc.glhc-hpe.local ...
      hook.py: Unknown hook handler
    • Signing domains...
    • Generating private key...
    • Generating signing request...
    • Requesting new certificate order from CA...
    • Received 1 authorizations URLs from the CA
    • Handling authorization for gl-seednode-jc.glhc-hpe.local
    • 1 pending challenge(s)
    • Deploying challenge tokens...
      hook.py: deploy_challenge for domain gl-seednode-jc.glhc-hpe.local - initiated
      hook.py: deploy_challenge for domain gl-seednode-jc.glhc-hpe.local - succeeded
    • Responding to challenge for gl-seednode-jc.glhc-hpe.local authorization...
    • Challenge is valid!
    • Cleaning challenge tokens...
      hook.py: clean_challenge for domain gl-seednode-jc.glhc-hpe.local - initiated
      hook.py: clean_challenge for domain gl-seednode-jc.glhc-hpe.local - succeeded
    • Requesting certificate...
    • Checking certificate...
    • Done!
    • Creating fullchain.pem...
      hook.py: sync_cert
      hook.py: deploy_cert
    • Done!
      hook.py: exit_hook

    [root@gl-seednode-jc dehydrated]# step ca revoke --cert certs/gl-seednode-jc.glhc-hpe.local/fullchain.pem --key certs/gl-seednode-jc.glhc-hpe.local/privkey.pem
    ✔ CA: https://172.16.5.124:8282
    Certificate with Serial Number 307300703289760345466735924092426714995 has been revoked.

    [root@gl-seednode-jc dehydrated]# ./dehydrated --domain 'gl-seednode-jc.glhc-hpe.local' --cron --force # INFO: Using main config file /home/glcgadmin/vmaas-ansible-repo/dehydrated/config
    hook.py: Unknown hook handler
    hook.py: startup_hook
    Processing gl-seednode-jc.glhc-hpe.local
    hook.py: Unknown hook handler

    • Checking domain name(s) of existing cert... unchanged.
    • Checking expire date of existing cert...
    • Valid till Nov 24 10:07:18 2020 GMT (Less than 30 days). Renewing!
    • Signing domains...
    • Generating private key...
    • Generating signing request...
    • Requesting new certificate order from CA...
    • Received 1 authorizations URLs from the CA
    • Handling authorization for gl-seednode-jc.glhc-hpe.local
    • 1 pending challenge(s)
    • Deploying challenge tokens...
      hook.py: deploy_challenge for domain gl-seednode-jc.glhc-hpe.local - initiated
      hook.py: deploy_challenge for domain gl-seednode-jc.glhc-hpe.local - succeeded
    • Responding to challenge for gl-seednode-jc.glhc-hpe.local authorization...
    • Challenge is valid!
    • Cleaning challenge tokens...
      hook.py: clean_challenge for domain gl-seednode-jc.glhc-hpe.local - initiated
      hook.py: clean_challenge for domain gl-seednode-jc.glhc-hpe.local - succeeded
    • Requesting certificate...
    • Checking certificate...
    • Done!
    • Creating fullchain.pem...
      hook.py: sync_cert
      hook.py: deploy_cert
    • Done!
      hook.py: exit_hook
    Max
    @dopey
    Hey @SahanaJC there’s a few things going on here, but the main issue is that step ca revoke is tied to step ca renew. What I mean by that is, if you use a different method to renew the cert then it doesn’t actually go through the same processes. For example, regular ACME client renewal does not work the same way that step ca renew works. In the ACME protocol when you renew a cert you don’t send in the old cert. You just go through the ACME protocol once more with the same information.
    Basically, step ca revoke only works if you plan to use step ca renew for renewals. For other clients it “probably” will not work because other clients do not send in the old certificate as part of the renewal flow.
    Does that make sense? Consider renewing certificates using step ca renew. It has all sorts of useful flags that allow it to run as a daemon, periodically attempt renewal, etc.
    That’s only if you are relying on the revocation. If you can get by without the revocation then you can continue to use dehydrated with the knowledge that the revocations will not be respected by your ACME client.
    SahanaJC
    @SahanaJC
    Hi @dopey, I tried executing step ca revoke followed by step ca renew. It worked as expected. Thanks!
    Romain Griffiths
    @wid
    Hi everyone, I was wondering if a command to list the certificates from the database was being worked on ?
    Max
    @dopey
    Hey @wid we have a few open issues in opening source tracking that type of feature. Here’s an example: smallstep/certificates#239. The short answer to your question is “no, no one is currently working on this”. If someone from the community would like to pick it up we’d be happy to work with that person or team to point them in the right direction. The longer answer is that this feature will likely be making it into our hosted offering (in the next few months) before we have the time to implement it in open source.
    The biggest hurdle in open source is that we store data in a nosql format (key - value), making it difficult to run any sort of query against the data without writing bespoke scripts to enumerate all values in a table, etc. So if someone wanted to take a look towards converting the storage layer to a SQL backend, that would be a good first step.
    Tomás Hidalgo
    @thidalgosalvador

    Hello,

    In my GCP account, I have distributed an instance of Smallstep ACME Registration Authority for CAS to test the product. The sensations are very good; the deploy has been very fast and easy. Congratulations on the product. One question, can an ACME smallstep server only issue final certificates from a subCA generated in Google CAS? In other words, is the caCAS value unique? Can't it have several values? I mention this because if an enterprise's PKI infrastructure is generated in Google, it is very likely that it is made up of several SubCA's ( my on-premise PKI is made up of four SubCA's, for example, for compliance needs among others... ) Thank you.

    Mariano Cano
    @maraino
    Hi @thidalgosalvador, at the moment one ACME RA only supports one CAS CA, to support multiple ones, multiple instances are required. As we support multiple ACME provisioners it would be possible with code changes to support multiple ones, can you add an issue in https://github.com/smallstep/certificates with your use case?
    Max
    @dopey
    I believe there are already issue(s) in step-ca for giving the ability for each provisioner to use it’s own signer.
    I think this is essentially the same thing.
    Not sure if we need another issue to track it (although this is a more specific use case).
    Kris Fremen
    @krisfremen
    is there any docs on how to get client certificates using JWK?
    Carl Tashian
    @tashian
    Hi @krisfremen, the intention is that you'd run a token server that has the JWK provisioner's encryption key and can sign single-use tokens on behalf of your users, if they are authorized. As long as the CA gets a valid, signed token, it will fulfill the request.
    You can play with step ca token to work out the sort of token you'd want your server to generate.
    (then run step ca certificate using --token to request a certificate from the CA using a token)
    There's an example in our docs that includes a bash script that uses the encryption key for the provisioner to generate a custom JWT for the CA. This is basically what you'd want your token server to do, if the user is authorized.
    Mariano Cano
    @maraino
    And @krisfremen, by default the certificates are valid for client and server authentication.
    etudurd
    @etudurd
    Hello, there is an example of implementing smallstep using keycloak?
    Max
    @dopey
    Hey @etudurd we don’t have any docs for that at the moment, but we do have this open issue smallstep/certificates#110 tracking docs for keycloack, and other OIDC providers.
    James Dadd
    @jamesdadd-nomi
    Hi, I need to configure SmallStep SSH users (synced via OKTA) to access a different default Linux shell when they login. Currently /bin/bash is being used. Is there a way we can configure that?
    2 replies
    korhojoa
    @korhojoa
    Hi, I'm trying to set up step as an intermediate CA for use with ssh login. I couldn't find documentation on how to do that. The intermediate works, step ca health says ok, I don't know what to use to generate the keys that appear with the generated ca and ' --ssh'