Change crv & alg on ca.json file

[Rapt88]

Hi,

Not sure if I want to do this yet, but wondering how it's done.

I noticed in the ca.json file the section for authority > provisioners has P-256 and ES256 by default. How would I increase these to P-384 and ES384. Is it a simple case of overwriting these in the ca.json file?

Thanks

[mmalone]

@Rapt88 that's what we call a "JWK provisioner" in our documentation. JWK stands for "JSON Web Key" -- it's just a JSON data structure that includes a public or private key along with some metadata. What you're looking at (the "P-256" and "ES256" bits) are key metadata saying that the associated key (represented as the "x" and "y" attributes) is a "P-256" key and should be used with the "ES256" signing algorithm. To use P-384/ES384 you can't just change these parameters: you have to generate a new key.

You can use step crypto jwk create to do so, then use step ca provisioner add to add your new key to ca.json. Once that's done, you can remove the old key (either by manually editing ca.json or using step ca provisioner remove).

For example:

$ step crypto jwk create --crv P-384 j.pub.json j.priv.json
Please enter the password to encrypt the private JWK:
Your public key has been saved in j.pub.json.
Your private key has been saved in j.priv.json.
$ step ca provisioner add [email protected] j.priv.json
Please enter the password to decrypt j.priv.json:
Please enter the password to encrypt the private JWK:

Remember to restart (or at least kill -HUP) your step-ca instance after changing ca.json to pick up the new configuration.

[maraino]

If you want to sign a certificate with P-384 key you can also do:

step ca certificate --kty EC --curve P-384 internal.smallstep.com internal.crt internal.key

[Rapt88]

@Rapt88 that's what we call a "JWK provisioner" in our documentation. JWK stands for "JSON Web Key" -- it's just a JSON data structure that includes a public or private key along with some metadata. What you're looking at (the "P-256" and "ES256" bits) are key metadata saying that the associated key (represented as the "x" and "y" attributes) is a "P-256" key and should be used with the "ES256" signing algorithm. To use P-384/ES384 you can't just change these parameters: you have to generate a new key.

You can use step crypto jwk create to do so, then use step ca provisioner add to add your new key to ca.json. Once that's done, you can remove the old key (either by manually editing ca.json or using step ca provisioner remove).

For example:

$ step crypto jwk create --crv P-384 j.pub.json j.priv.json
Please enter the password to encrypt the private JWK:
Your public key has been saved in j.pub.json.
Your private key has been saved in j.priv.json.
$ step ca provisioner add [email protected] j.priv.json
Please enter the password to decrypt j.priv.json:
Please enter the password to encrypt the private JWK:

Remember to restart (or at least kill -HUP) your step-ca instance after changing ca.json to pick up the new configuration.

That did work, but didnt have the desired effect that I was hoping for.

I made an assumption that if I changed the provisioner, the certificates being provisioned would default to P384, that didnt happen. They're still P256. How do I change the default certificate encryption being used? I dont wish to specify every time I need a new certificate that it must be x encryption.

[tashian]

Hi @Rapt88,

On the server side, you can block requests by key size using an X.509 template. You'll just need to adjust the template conditionals to your situation.

You can change the default on the client side by adding "kty" and "curve" keys to .step/config/defaults.json, or by exporting STEP_KTY=EC and STEP_CURVE=P-384.

[maraino]

I made an assumption that if I changed the provisioner, the certificates being provisioned would default to P384, that didnt happen. They're still P256. How do I change the default certificate encryption being used? I dont wish to specify every time I need a new certificate that it must be x encryption.

The type of certificate depends on the certificate signing request (CSR) send by the client, that's why you can do

step ca certificate --kty EC --crv P-384 internal.smallstep.com internal.crt internal.key

It's also possible to pre-define those adding the environment variables:

STEP_KTY=EC 
STEP_CRV=P-384

There should be possible to add "kty": "EC" and "crv": "P-384" in $(step path)/config/defaults.json, but right now is not because there is a bug caused because the "crv" has the alias "curve", and apparently when we manually set a flag urfave/cli does not properly handle the aliases, and we need to always use the flag name "crv" and in some cases we are using "curve".

[maraino]

I've added the bug for defaults.json #419

[Rapt88]

Thanks guys, I'll just use the certificate creation command where you call the encryption if needed.