Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Kris Fremen
    @krisfremen
    is there any docs on how to get client certificates using JWK?
    Carl Tashian
    @tashian
    Hi @krisfremen, the intention is that you'd run a token server that has the JWK provisioner's encryption key and can sign single-use tokens on behalf of your users, if they are authorized. As long as the CA gets a valid, signed token, it will fulfill the request.
    You can play with step ca token to work out the sort of token you'd want your server to generate.
    (then run step ca certificate using --token to request a certificate from the CA using a token)
    There's an example in our docs that includes a bash script that uses the encryption key for the provisioner to generate a custom JWT for the CA. This is basically what you'd want your token server to do, if the user is authorized.
    Mariano Cano
    @maraino
    And @krisfremen, by default the certificates are valid for client and server authentication.
    etudurd
    @etudurd
    Hello, there is an example of implementing smallstep using keycloak?
    Max
    @dopey
    Hey @etudurd we don’t have any docs for that at the moment, but we do have this open issue smallstep/certificates#110 tracking docs for keycloack, and other OIDC providers.
    James Dadd
    @jamesdadd-nomi
    Hi, I need to configure SmallStep SSH users (synced via OKTA) to access a different default Linux shell when they login. Currently /bin/bash is being used. Is there a way we can configure that?
    2 replies
    korhojoa
    @korhojoa
    Hi, I'm trying to set up step as an intermediate CA for use with ssh login. I couldn't find documentation on how to do that. The intermediate works, step ca health says ok, I don't know what to use to generate the keys that appear with the generated ca and ' --ssh'
    Max
    @dopey
    Hey @korhojoa I’m not really sure what you mean by intermediate CA in the context of SSH certificates. SSH certificates don’t have a “chain of trust”. Just a signing key (root key) that signs SSH certificates. So not sure it would make sense to have step-ca be an intermediate in that sort of setup.
    korhojoa
    @korhojoa
    Ah, okay, yeah, I was wondering how that fits together.
    I currently have step-ca running with an intermediate. trying 'step ssh config' with --root and --ca-url specified, I get: error="getSSHConfig: ssh is not configured"
    etudurd
    @etudurd
    Hello, there is someone who tried to implement SSO via keycloak + smallstep to access ssh servers? I am trying already for 2 weeks but without any success
    thank you :0
    :)
    Max
    @dopey
    Hey @etudurd I believe that KeyCloak is possible, we just don’t have documentation for it (yet). We have this open ticket — smallstep/certificates#110. If you follow through with the KeyCloak integration we’d love to hear about it. KeyCloak, being an OIDC provisioner, should work similarly to Gsuite, Okta, Azure AD, etc.
    Max
    @dopey
    https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/ — we're partnering with yubico to give away five build kits for TinyCA run on a raspberry PI with a yubikey. Details in the post!
    masoudbahar
    @masoudbahar
    That’s indeed a great guide. I’m updating your Helm chart to support offline (existing) root CA and custom EC key length.
    ill publish it in January, probably with an all internal acme solution, if testing proves successful
    ckwalsh
    @ckwalsh
    @etudurd I set up Keycloak+smallstep in my homelab to play around, works fine and didn't run into any issues (besides the aforementioned documentation)
    ckwalsh
    @ckwalsh
    BTW, I want to say thank you to the smallstep team for building such a solid system. I don't have any huge deployment or complex configuration, just a little homelab I was tinkering with over the holidays, but smallstep was easy to set up and start distributing certs. Took a bit to fully grok the relationship of how cert requests work and how to maintain everything, but once I did it's a breeze. I ended up wanting to distribute ssh host certs in k8s, so I expanded autocert to support them, and put up a pull request at smallstep/autocert#24
    Mariano Cano
    @maraino
    @ckwalsh Thanks for the PR I'll need some time to look into it
    1 reply
    ckwalsh
    @ckwalsh
    As follow ups to that PR, I'd like to add more testing, and to add support for sending SIGHUP signals to the primary pod process to reload the certs. I'll wait until you have a chance to review that PR first, as both pieces require touching controller.go, and I don't want to keep moving the review goalposts
    Allen Conlon
    @A1994SC
    Hello, I have been trying to get the tiny-ca rpi system up and running but I am having some issues after getting everything installed and configured. I made a post of r/homelab, link here.
    I have gotten some issues worked out like the ca not using my internal dns server, but now I am stuck on the following error.
    error validating ACME Challenge at https://tinyca.lan/acme/acme/challenge/Rrk1iKFeEjDRkFu0w025Ogty17RsL2R0: client GET https://tinyca.lan/acme/acme/new-order failed: Post "https://tinyca.lan/acme/acme/challenge/Rrk1iKFeEjDRkFu0w025Ogty17RsL2R0": stream error: stream ID 17; INTERNAL_ERROR
    47 replies
    any help would be super useful
    Tony Ashvanian
    @Tony-The-Developer
    hey guys i have step working but the certificates coming our are not verified. Do you have any ideas
    Tony Ashvanian
    @Tony-The-Developer
    image.png
    same with an fqdn
    image.png
    ckwalsh
    @ckwalsh
    @Tony-The-Developer You need to add the root cert to your system and/or browser root store
    Tony Ashvanian
    @Tony-The-Developer
    it has been added.
    it works but the ssl is not verified
    ckwalsh
    @ckwalsh
    Firefox unfortunately disagrees, based on the NET::ERR_CERT_AUTHORITY_INVALID error code. Can you go into your firefox settings and share a screenshot of the root certificate in the list?
    Mariano Cano
    @maraino
    @ckwalsh firefox doesn't use the system truststore, it has its own, you should be able to install it in firefox settings or you can also install it using step certificate install --firefox root_ca.pem
    @Tony-The-Developer ^=
    Michael Shamash
    @mshamash
    Hi all, I was looking for some input on exposing a DIY CA (following smallstep's guides) to the internet directly? In theory if I use ufw to allow only port 443 and also set my network's firewall rules accordingly, it should be secure enough... Ideally I'd like to be able to generate SSH certificates from anywhere (whether I'm at home, which is 90% of the time these days, or out) to connect to my hosts. I've tried using Cloudflare, but testing with the step ca certificate command yielded x509: certificate signed by unknown authority errors. I guess I could also setup VPN to my home network (where the CA is hosted) and connect via VPN for SSH cert generation once per day if I'm not home, too...
    15 replies
    Michael Shamash
    @mshamash
    Hi, sorry for the continued messages, but I've come across another question when working with step's SSH certs. I've also got some feedback on the step-ca docs but am not sure where to send it, or if you'd like me to send some here.
    In any case, I've managed to get my SSH cert CA up and running and working with 90% of my hosts. I then had the thought to implement it with my GitHub account (non-enterprise), since GitHub can use SSH keys for authentication. Ultimately, I'm hoping that every time an SSH cert is generated on my machine, I'd setup a script so that it would replace the previous SSH cert on my GitHub account, so that way I'd have SSO for GitHub as well, in a sense.
    In my preliminary testing, I have been trying to add my SSH cert public key to my Github account online manually and then testing with their ssh -T git@github.com test. I've been extracting the currently active step SSH public key like this step ssh list --raw | step crypto key format --ssh on my local machine, with output looking something like this ecdsa-sha2-nistp256 AAAAE2VjZHNhLXN..., then adding it to my github account. However, that didn't seem to work and I keep getting Permission denied (publickey). errors when testing SSH. I've also tried uploading the output of step ssh list --raw, but their web UI didn't like that, even after changing the ecdsa-sha2-nistp256-cert-v01@openssh.com head to ecdsa-sha2-nistp256.
    I guess what I'm wondering is, is something like this possible to do? I feel like I'm very close but can't quite extract the correct public key for some reason. I know on GitHub's enterprise plans I could even add my SSH CA user key, but can't justify the purchase of an enterprise plan for 1 user/myself. Thanks in advance, and apologies for the wall of text!
    6 replies
    Allen Conlon
    @A1994SC
    A weird ask, but is it possible to have a custom web page at https://tinyca.lan? I would like to host the root CA for downloading on local clients.
    2 replies
    etudurd
    @etudurd_gitlab
    Hello, while trying to deploy line by line the script provided in the SSH DIY example on the Host, i received the following error: The request lacked necessary authorization to be completed. Please see the certificate authority logs for more info. - at the “step ssh certificate ... —token $TOKEN” line. Do you know what I am missing and where i can find the step ca logs? Thank you!
    9 replies
    Matt Tuttle
    @LookoutHill
    Why isn't there a -Principal switch for "step ssh login ..." when this switch exists for "step ssh certificate ..."? It seems like an oversight since both commands generate a new SSH certificate and the ability to control the certificate principals should be equally useful in either situation. I posted this question earlier but retracted the post thinking that the -Identity switch listed in the documentation for "step ssh login ..." took the place of the -Principal switch, but no. In fact, I can't tell what it does. It doesn't cause any errors, doesn't have any effect on the generated certificate, and I can't find where it is handled in the code.
    5 replies
    Reese
    @reesericci
    I'm getting this error when trying to connect to a CA instance on kubernetes: error downloading root certificate: invalid character 'S' looking for beginning of value
    Marco Marinello
    @mmaridev
    Hi all! Sorry if I've been away for so long. Issue in integration of Smallstep ACME with Proxmox certification system has now been solved. Reference: https://bugzilla.proxmox.com/show_bug.cgi?id=2462#c9
    3 replies
    sbingram
    @sbingram
    I'm continuing to work through the step ssh tools and revoked a ssh cert for the first time. It finally worked, but I still see the host in the list when I issue step ssh hosts. Should the host still be in there even though it's a principal on a revoked cert and doesn't appear on any active cert? Is there no way to clean this up?
    3 replies
    Sergey
    @selfuryon_gitlab

    Hello! Can somebody explain how stepca acme server checks the email in incoming requests?
    I have stepca with admin@***.com JWK provisioner created during ca init and if I use this email for ACME - all works fine.
    But I can't use any other emails. I tried to add another JWK provisioner with acme@***.com but I can't get the certificate for this email.
    Can i get the certificate for other emails/provisioner emails or I should use only the first provisioner email?

    I use Caddy as ACME client with simple config:

    {
      email acme@***.com
      acme_ca https://acme.***.corp/acme/acme/directory
      acme_ca_root /etc/caddy/root_ca.crt
    }

    Provisioner List:

    [
       {
          "type": "JWK",
          "name": "admin@***.com",
          "key": {
             "use": "sig",
             "kty": "EC",
             "kid": "***",
             "crv": "P-256",
             "alg": "ES256",
             "x": "***",
             "y": "***"
          },
          "encryptedKey": "***,
          "claims": {
             "maxTLSCertDuration": "8760h0m0s",
             "defaultTLSCertDuration": "2160h0m0s"
          }
       },
       {
          "type": "ACME",
          "name": "acme",
          "claims": {
             "maxTLSCertDuration": "2160h0m0s",
             "defaultTLSCertDuration": "2160h0m0s"
          }
       },
       {
          "type": "JWK",
          "name": "acme@***.com",
          "key": {
             "use": "sig",
             "kty": "EC",
             "kid": "***",
             "crv": "P-256",
             "alg": "ES256",
             "x": "***",
             "y": "***"
          },
          "encryptedKey": "***"
       }
    ]
    Max
    @dopey
    Hey sergey, I think our docs may be a little confusing here.
    @selfuryon_gitlab
    The jwk provisioner doesn’t have anything to do with the ACME provisioner.
    The JWK provisioners are, as you’ve probably found, just password provisioners. If you have the password to decrypt the JWK you can create any certificate you want.