-
I'm new to step ca, and I can't figure out if it is possible to create a one-time password ( JWK provisioner case) for each client that accesses the step ca server to get a certificate. In our project, this is necessary to improve reliability, for example, in case of password leak on the client side |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 9 replies
-
@RadionovM I'm not sure if I understand properly. A unique password encrypts the JWK private key. But the JWT used in the JWK provisioner can only be used once. Having that in mind, you can always centralize the creation of that JWT on your side, so only the services creating it have access to the password, then you can grant those tokens as you want, adding an approval process if necessary. |
Beta Was this translation helpful? Give feedback.
-
Are you referring to time-based/counter-based OTP, or each user getting a separate password? Probably a OAuth/OIDC method would be more suitable if you want to protect the main CA server. You can set it up on your own servers with Keycloak or Authelia, or use 3rd party ones like Google or Github. |
Beta Was this translation helpful? Give feedback.
@RadionovM I'm not sure if I understand properly. A unique password encrypts the JWK private key. But the JWT used in the JWK provisioner can only be used once.
Having that in mind, you can always centralize the creation of that JWT on your side, so only the services creating it have access to the password, then you can grant those tokens as you want, adding an approval process if necessary.