certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Let the step-ca server use different certificate types itself

Open MacWeber opened this issue 2 years ago • 1 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

From a past discussion:

Currently, the certificate for the step-ca server (HTTPS) cannot be changed, and it always uses an ECDSA P-256 key.

It would be really interesting to let the the users choose which certificate type the CA uses.

Why is this needed?

Some users may not consider P-256 the safest choice, then they may be willing to use a different certificate for the CA itself. The certificate would make more sense if using the same type as the intermediate. If not, then the user should be allowed to decide which certificate certificate type the the step-ca server will use.

MacWeber avatar Apr 16 '23 14:04 MacWeber

After https://github.com/smallstep/certificates/pull/1685 gets merged, we could look into supporting more flexibility in the TLS configuration for the CA HTTPS server itself. Noting it here for reference.

hslatman avatar Feb 06 '24 18:02 hslatman