autocert icon indicating copy to clipboard operation
autocert copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Add annotation to define the type of key

Open maraino opened this issue 5 years ago • 2 comments

What would you like to be added

Add a new annotation that allows the user to get an RSA/EdDSA instead of an ECDSA certificate.

Why this is needed

See https://github.com/smallstep/autocert/issues/4#issuecomment-537698075

maraino avatar Oct 02 '19 22:10 maraino

we could really use this annotation as we rely on PKCS12 certificates in our scenario. If we could specify that in an annotation, that would make things ALOT easier!

JackSinclairT avatar May 20 '21 15:05 JackSinclairT

@JackSinclairT With the current version, using custom images for the bootstrapper and renewer you can create certificates with different algorithms, and convert them to PKCS12.

For example, a new image with a bootstrapper.sh running step ca certificate with the flag --kty RSA will generate RSA keys (2048bits by default). And step certificate p12 site.p12 site.crt site.key can be added to convert the cert to PKCS12.

And a custom image of the renewer can be modified to convert the certificate to PKCS12 on each renewal:

step ca renew --daemon --exec "step certificate p12 site.p12 $CRT $KEY" $CRT $KEY

maraino avatar May 20 '21 19:05 maraino