cli

cli copied to clipboard

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

It's not common, but some applications, like restic, require the private key to be in the same file as the certificate when using client certificates.

It would be nice if step could generate combined files like that for both certificate generation and renewal.

One suggestion is to detect when the cert file and key file are the same path (currently step simply replaces the cert chain with the private key in this case). Another option would be to do this when the private key file is omitted from the command line.

Why is this needed?

When automating certificate renewal for applications that require all certificate materials to be in a single file, this would eliminate the need for adding additional steps in combining files.

@plinss As a clarification, the file will have the intermediate cert too, it will look like:

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----

We can also consider to do a couple more things too:

1. Print the certs and keys with step ca certificate localhost
2. Use PKCS#8 by default, but with a flag to use PKCS#1/SEC1, although step crypto key format can switch between those.

@maraino Yes, that's what I'd expect the file to contain (and what restic requires).

Your suggestions seem useful as well (though I don't personally have a need for that at the moment).