certificates
certificates copied to clipboard
smallstep
[Bug]: Unable to use "tmpkms" on Windows
Steps to Reproduce
Using the CGO build on Windows is not working with "tpmkms".
I've build step-ca v0.27.4 with CGO flag on Windows with the help of w64devkit. I want to secure the certificate key using the TPM so i'm using "tpmkms" (though I would have prefered to use CryptoAPI on Windows tbh).
Some simplification of my actual script for this but I've successfully created the key using the kms module for step-cli
$env:STEPPATH = "C:\ACMECA\conf"
$TemplatesDir = (Join-Path $env:STEPPATH "templates")
$CertsDir = (Join-Path $env:STEPPATH "certs")
step kms create --json --kty RSA --size 2048 'tpmkms:name=acme-ca-ver1'
step certificate create --kms 'tpmkms:' --key 'tpmkms:name=acme-ca-ver1' --csr --template "$TemplatesDir\CATemplate.tpl" "ACME Server" "$CertsDir\intermediate.csr"
The step.json looks like this (I've cut out the providers to keep it short):
{
"root": "C:/ACMECA/conf/certs/root_ca.crt",
"federatedRoots": null,
"crt": "C:/ACMECA/conf/certs/intermediate_ca.crt",
"key": "tpmkms:name=acme-ca-ver1",
"kms": {
"type": "tpmkms",
"uri": "tpmkms:"
},
"address": ":9000",
"insecureAddress": "",
"dnsNames": [
"testing.example.com"
],
"logger": {
"format": "text"
},
"db": {
"type": "badgerv2",
"dataSource": "C:/ACMECA/conf/db",
"badgerFileLoadingMode": "FileIO"
},
"authority": {
"template": {
},
"backdate": "1m0s"
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
},
"commonName": "ACME Server"
}
Your Environment
- OS - Windows 11 23H2 (also intending to run on Windows Server, but testing locally first)
-
step-caVersion - v0.27.4 (build with CGO flag) - PowerShell 5.1 (since I'm gonna run this on a server where we don't have the newer PowerShell versions on)
Expected Behavior
Expected step-ca to start sucessfully.
Actual Behavior
step-ca fails to start saying it's unable to find the key.
PS C:\ACMECA\bin> $env:STEPPATH = "C:\ACMECA\conf"
PS C:\ACMECA\bin> .\step-ca.exe
badger 2024/09/30 13:40:28 INFO: All 0 tables opened in 0s
badger 2024/09/30 13:40:28 INFO: Replaying file id: 0 at offset: 0
badger 2024/09/30 13:40:28 INFO: Replay took: 537.9µs
failed getting key "acme-ca-ver1": not found
Additional Context
Interesting side-note, the PowerShell session also crashes shortly after this. Not sure it's entirely related, but it is consistent. After step-ca exists, i can press enter twice and the shell crashes.
I'm able to verify the key is working in the kms plugin by running this (which prints the public key).
PS C:\ACMECA\bin> $env:STEPPATH = "C:\ACMECA\conf"
PS C:\ACMECA\bin> .\step.exe kms key 'tpmkms:name=acme-ca-ver1'
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
