One-time client auth password

[RadionovM]

I'm new to step ca, and I can't figure out if it is possible to create a one-time password ( JWK provisioner case) for each client that accesses the step ca server to get a certificate. In our project, this is necessary to improve reliability, for example, in case of password leak on the client side

[maraino]

@RadionovM I'm not sure if I understand properly. A unique password encrypts the JWK private key. But the JWT used in the JWK provisioner can only be used once.

Having that in mind, you can always centralize the creation of that JWT on your side, so only the services creating it have access to the password, then you can grant those tokens as you want, adding an approval process if necessary.

[RadionovM]

@mmalone, I think this is exactly what we need, many thanks!

[RadionovM]

@mmalone, I just want to clarify one point, you said that, generally, multi-use password (which encrypts JWK private key) is not needed. But as I understand, in this case, anyone can get a token using the command step ca token host --ca-url https://ca_host:port --root root_ca.crt (requesting to a running CA server, suppose they get somehow public part root_ca.crt). Is this right or am I wrong?

[maraino]

@RadionovM what is not required is the encryptedKey property that you can see in a JWK provisioner, see for example https://smallstep.com/docs/step-ca/configuration#jwk. If this is not provided then you cannot do just

step ca token <name>

You need to provide the private key to sign the token like this:

step ca token --key path/to/private.key <name>

And by the way, anybody can do a request to https://ca_host:port/1.0/sign without the root_ca.crt, step requires it because this way it can verify the TLS certificate of the CA, but for example, you can use curk -k to ignore the validation.
The authentication is the signed token, not the root certificate.

[RadionovM]

@maraino, thank you, seems I get it, I can create JWK pair in advance and create provisioner with this pre-created keys, and create tokens using private JWK part which is not included in ca.config.

But I would like to clarify the last paragraph if possible, I understand that this certificate, in principle, is not needed to establish a connection, it is only needed for server authentication. And I noticed that if we receive a certificate on the client using a token, we can not use the --ca-url and --root flags. I decrypted the token and saw the CA server url but did not see any mention of the root certificate. Does this mean that when using the token, the server is not authenticated on the client (that is, the client does not verify the authenticity of the CA server)?

[maraino]

step client always verifies the certificate of the CA server in different ways, but with a token, it generally does looking at the CA URL in the audience (aud) and the parameter called sha, that is the fingerprint of the root certificate (the SHA256 of the raw bytes of the root certificate).

Given that information step will do an unauthenticated request to https://<ca-url>/root/<fingerprint> to download the root certificate, then it will make sure that the fingerprint matches, and it will use that certificate for other requests.

Other ways to authenticate requests are through the flags, the information in ~/.step/config/defaults.json, and as a last alternative the root in ~/.step/certs/root_ca.url.

[LecrisUT]

Are you referring to time-based/counter-based OTP, or each user getting a separate password?

Probably a OAuth/OIDC method would be more suitable if you want to protect the main CA server. You can set it up on your own servers with Keycloak or Authelia, or use 3rd party ones like Google or Github.

[RadionovM]

I meant that each client will receive their own password that can be used only once. This will avoid the certification of an unwanted client which we do not expect.