Sign certificates without the step provisioner extension

[maraino]

Discussed in https://github.com/smallstep/certificates/discussions/615

^{Originally posted by Kieren June 22, 2021} In order to use leaf certificates issued by step ca for mTLS in a particular IoT application the certificates cannot have extraneous extensions like X509v3 Step Provisioner. Is there a way to configure step ca to not issue leaf certificates with this extension?

For example the Arduino MKR Wifi 1010 board has an ATECC508A cryptographic authentication chip which has hardware based certificate storage for client certificates. However due to the storage limitations of the chip the certificates are deconstructed into a compressed form for storage, where known values like subject fields are stripped and stored separately. Certificates issued via step ca with the Step Provisioner extension cannot be used as a drop-in in this application.

[maraino]

One thing to take into account is if we want to enable mTLS renewals of these certificates.

[tashian]

Refs:

• Compressed Certificate Definition for the ATECC508A
• All ATECC508A documentation

[frank-park]

There are certain X509 ecosystem (ie the one we are working with) that prohibits adding any other extension outside what is specified in the policy. Unfortunately this extension has to be removed in order to comply with the policy.

Without mentioning the specific policy, this is part of a governmental regulatory policy.