Mariano Cano

If you already have the keys on AWSKMS and you want to sign an intermediate with it, you can modify `step-awskms-init` removing the creation of the keys, and changing the...

Your change look ok, but that error must be from `x509.CreateCertificate()` not from `pemutil.ReadCertificate()` And If you already have an intermediate key, you must do a similar change, few lines...

At the moment we're these properties are backed by Golang's [`time.Duration`](https://pkg.go.dev/time#Duration), which does not support anything larger than hours. It would be possible to add other "durations", but might be...

@tomdaley92 the problem with your health check is that the dnsNames in the ca.json should have `ca.diesel.net` too. Looking at the error it looks like the domain `9721f7d721878f7496b87c17dcab760d.2868b98699e09c78a80c69bee273ddd8.traefik.default` is in...

@tomdaley92 Ok I see what's going on with your last output, step-ca is not running. Looking at your ansible configuration in your github, you're mounting a pre-created configuration, good. So...

Hi @hlobit, I don't think right now there's another alternative to do it yourself. But I can tell you that we've started to change how ACME stores its data, and...

Just noting that the one we've used in some examples looks like: ``` [Unit] Description=Step Certificates Wants=basic.target After=basic.target network.target [Service] WorkingDirectory=/usr/local/lib/step ExecStart=/usr/local/bin/step-ca /usr/local/lib/step/config/ca.json --password-file /usr/local/lib/step/secrets/intermediate_pass KillMode=process Restart=on-failure RestartSec=10s [Install] WantedBy=multi-user.target...

I didn't know about systemd support for [password agents](https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/), we can take a look into it. @darix if you know what would be the right way, I'm all ears.

@chiju: in your log doesn't show any step-ca log line, the two lines there are from systemd. So, my only guess with this message `status=200/CHDIR`, is that the permissions of...

Boulder also allows redirects to HTTPS (but only to port 443) using `&tls.Config{InsecureSkipVerify: true}`. In boulder this creates the transport with the `InsecureSkipVerify`: https://github.com/letsencrypt/boulder/blob/5457680a9c8ce34d0456ccf289ed347a8529a31e/va/http.go#L489 This is the function that process...