Configuring a longer pathlen for certificate chains #639
Replies: 7 comments 7 replies
-
Hey @kirill-kostenetskyi, glad you're trying out step for this. I think there's a couple misunderstandings about how the CA works and how certificates are signed, so let me try to clear those up. When A provisioner is a way to authenticate to the authority, rather than a way to select the signing CA. So when you use a JWK provisioner you authenticate via password. When you use a X5c certificate you authenticate via an x509 certificate previously issued by the CA. But each of the new certificates that you generate will be signed by the original intermediate. Now, you say that for your product you need a chain that is 4 certificates long. This possible with
Using this template you would run Here's an example:
Next you'll want to create your second intermediate:
Next, bundle intermediate 1 and 2 into a single file, with 2 being on top of 1:
{ Now, start up step-ca and when you create certificate using any provisioner they will be signed by intermediate2 and you will have a path length of 4 certificates. |
Beta Was this translation helpful? Give feedback.
-
Another note, to verify a certificate using |
Beta Was this translation helpful? Give feedback.
-
Yes, but accessing those records can be difficult. The open source database is a key value byte store which means that you can't do sql style lookups. We're releasing a managed CA in the next few weeks which does have a certificate observability feature (allowing you to view certificates, lineage, renewal status) in the UI. It can connect to a CA that you run yourself locally, or we can run the CA for you. If certificate observability is interesting to you, I would encourage you to try it out once we release it.
Maybe :) It's hard to say without knowing more about your use case. |
Beta Was this translation helpful? Give feedback.
-
@dopey Thanks a lot for your time and so detailed answer! Could you help us with another related question, please? A detailed example:
Is that scenario possible with step-ca? If not, probably you could suggest any other solutions for such cases? |
Beta Was this translation helpful? Give feedback.
-
@kirill-kostenetskyi When you use the term "based on" (e.g., 4th level certificates based on 3rd level) do you mean that the 4th level certificates need to be signed by the 3rd level certificates or that the 4th level certificate needs to have characteristics that are affected by the 3rd level? It is uncommon (i've never heard of it) for a server certificate (3rd level in your example) to be used as both a certificate to identify the server and as a signing certificate for downstream certificates. |
Beta Was this translation helpful? Give feedback.
-
@dopey @maraino It seems that Thanks! |
Beta Was this translation helpful? Give feedback.
-
@kirill-kostenetskyi - Mike Maxey, VP of Product here. We have talked with others about STIR/SHAKEN and discussed a path to supporting a new ACME challenge as defined in the STIR/SHAKEN standard docs. To date, we have not implemented this extension. Please let me know if this is a direction you have budget and interest in pursuing. I'm available at maxey(at)smallstep.com. |
Beta Was this translation helpful? Give feedback.
-
Hi there!
Our product needs certificates issued as a four-level chain and we chose step-ca as CA which seems should do the job for us.
We have not a lot of experience in the certification area, just a basic understanding. Let me know if we understand something in the wrong way, please.
We setup
step-ca
server and then we use this sort of commands to create the chain:step ca certificate --ca-url https://33.333.333.333:443 account account.crt account.key
using JWK provider
x5c
provisioner to create the new certificate based on the previous:step ca certificate --ca-url https://33.333.333.333:443 session account_2.crt account_2.key --provisioner=x5c@dev --x5c-cert=account.crt --x5c-key=account.key
x5c
provisioner again to create the next certificate level:step ca certificate --ca-url https://33.333.333.333:443 session account_3.crt account_3.key --provisioner=x5c@prod --x5c-cert=account_2.crt --x5c-key=account_2.key
So after that, we have at least three certificates (and another two inside
step-ca
server). Here are the questions:account_3.crt
was issued byaccount_2.crt
oraccount_2.crt
was issued byaccount.crt
? Does step has any functions to do that?step
the good choice for our purposes?Could somebody please help us with answers?
Beta Was this translation helpful? Give feedback.
All reactions