cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Support for `--admin-kms` in `step ca provisioner` subcommands

Open tashian opened this issue 1 year ago • 3 comments

For CA administrative functions, it would be nice to be able to use a KMS-bound key.

This enables a flow where a YubiKey could be used to admin the CA, using an admin cert acquired via ACME DA.

tashian avatar Aug 05 '24 18:08 tashian

If I understand your request correctly this is already possible by using an x5c key and certificate as provisioner credentials that point to the yubikey with a kms url.

andsens avatar Nov 15 '24 08:11 andsens

I believe what @tashian wants is to be able to use a KMS URI instead of specifying the credentials from disk for administrative operations that require our ca.AdminClient: https://github.com/smallstep/cli/blob/master/utils/cautils/client.go#L99-L197. At the moment it assumes the cert/key are always read from disk.

hslatman avatar Nov 15 '24 09:11 hslatman

~~Oh, in that case I have the exact same issue. Thing is, when using kms backed keys (tpm in my case), step ca token --ssh|--revoke|--rekey work, but step ca token --renew does not. Neither does step ca renew:~~ image

Nevermind. I misunderstood the issue. Created a separate one here https://github.com/smallstep/cli/issues/1314

andsens avatar Nov 15 '24 10:11 andsens