certificates
certificates copied to clipboard
smallstep
Add configuration of TLS cert durations to Docker image
What would you like to be added
It's documented here how you can adjust the default, min and max durations of the CA, by editing ca.json.
It would be great if this is achievable with the Docker image through setting environment variables, for example:
DOCKER_STEPCA_INIT_MIN_TLS_CERT_DURATION
DOCKER_STEPCA_INIT_MAX_TLS_CERT_DURATION
DOCKER_STEPCA_INIT_DEFAULT_TLS_CERT_DURATION
Why this is needed
It would make it (much) easier to spin up a smallstep/stepca image that can handle larger/smaller/different lifetime defaults for TLS certificates! User friendliness! Bliss!!
After a quick look, I think this could be done in one of two ways:
- Add these settings as arguments to
step ca init - Add it as an after-stage in entrypoint.sh
The former is cleanest I think, the latter would also work without requiring new argumenst at the step ca init command level.
Thanks for submitting this. This would be a very nice UX enhancement for the Docker image.
The challenge here is that step ca init doesn't accept any cert duration configuration parameters.
So, it would need to support that in order to unblock option one.
At first glance, I don't see an Issue for this, so we may need to create one.
And I think option one is the only viable path at the moment, because the second option would require us to couple the entrypoint script to ca.json, and that would be an unwise marriage.
You can also set min/max/default TLS cert duration on a per-provisioner basis when you add a provisioner to override these authority-level settings. If you're using the new databased-backed provisioner management you can even adjust this remotely using step beta ca provisioner update <name> --x509-min-dur 1h --x509-max-dur 8760h --x509-default-dur 720h, for example.
@mmalone: When I'm using the Docker image, am I using "the new databased-backed provisioner management"?
Hey @rubin55 apologies for the radio silence. When using the Docker image you are not using the new databased back management. Currently, in order to enable that, you need to manually add an attribute to the ca.json (enableAdmin: true under the authority section).
That said, we're glad you opened this issue. We need a way to programmatically enable the new database backed APIs so that folks can use them in environments where they don't have direct access to the ca.json. I will create an issue for that and link it here. We'll triage it shortly - however, we're super resource constrained at the moment. If you, or anyone else, from the community is interested in contributing we would happily give some guidance and accept a PR for this.
