-
|
If this is possible, how can it be achieved? Looking to try and make this 20 years, with the idea that it provisions certs for IAs and then gets turned offline. The IAs would then have lifespans of 10y etc |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Yes it is possible! But you'll need to use a slightly more elaborate workflow to initialize the CA infrastructure. Specifically, you'll need to generate a root CA key & certificate then pass those in to When you run this command it will copy your |
Beta Was this translation helpful? Give feedback.
-
|
I think with this answer you may have just answered my other query as well. Ref: #383 Q: if the CA doesnt actually need the key, why does it copy it? Is it only used when it's initially provisioned/created? So every time afterwards if the CA is turned off and started again, it still would not need it? |
Beta Was this translation helpful? Give feedback.
Yes it is possible! But you'll need to use a slightly more elaborate workflow to initialize the CA infrastructure. Specifically, you'll need to generate a root CA key & certificate then pass those in to
step ca init. Technically, you could use any tool to generate your root, but here's how you'd do this withstep:When you run this command it will copy your
root_ca_keyinto~/.step/secrets/root_ca_key. The CA doesn't actually need this file though. You can delete it if you'd like.