certificates
certificates copied to clipboard
smallstep
Allow Mutual TLS/mTLS to protect access to step-ca in addition to the existing authentication methods like JWK/password
What would you like to be added
Please add the possibility to configure mututal tls authentication for the step-ca/provisioners in general, as in: Additional to the exisitng authentication methods!
Currently there is no way in step-ca to configure a mutual tls configuration where I can specify this certificate (or better two or more, to allow rotation). All clients can just access the provisioner/step-ca with one of the current authentication methods.
Why this is needed
As described in the concept (https://smallstep.com/docs/step-ca/certificate-authority-core-concepts#provisioners) provisioners need to authenticate the clients before they allow them to create certificate signing requests (CSRs) and access the step-ca. This authentication is also said to not be possible with mutual tls, as the TLS certificate the clients could use, would first have to be created by step-ca.
Yet, consider that I'd like to use the step-ca to create certificates for several subjects/devices but only access it from a service which can have a TLS certificate that the provisioner/step-ca could verify. E.g. it will be issued by a completely different Certificate Authority.
Consider the JWK example: My client needs to know just the password and is able to create certificates. As I cannot put step-ca behind a TLS-terminating load balancer, which could enforce certificate authentication or similar, there is no way to support this scenario.
OIDC is not a alternative, because the devices have no user identity.
@kmindi - Maxey, VP of Product here. We discussed this as a team today. We have a few ways to solve this depending on your end goal and use case. Can we speak live so we can make a better recommendation? Ping me at maxey at smallstep.com.
