cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

`step ca certificate` should warn when passed-in subject names are ignored

Open tashian opened this issue 1 year ago • 2 comments

When I get a certificate using an OIDC provisioner, the --san I provide is silently ignored. step should warn the user that the flag was ignored.

example output:

step ca certificate vpn --san strongswan.lan vpn.crt vpn.key --not-after 8784h
✔ Provisioner: authority-admin (OIDC) [client: de7774d8-a136-4e29-8450-026022a64ce4]
Your default web browser has been opened to visit:

https://auth.smallstep.com/oidc/auth?client_id=de77...

⚠️ Your subject name and --san flag were ignored. By default, OIDC provisioners issue certificates based on trusted OIDC token values only.
✔ CA: https://my.ca.smallstep.com
✔ Certificate: vpn.crt
✔ Private Key: vpn.key

tashian avatar Sep 12 '24 18:09 tashian

  • Check if SANs are ignored in the request to the CA. If it is, it can be short-circuited in the CLI.

hslatman avatar Sep 24 '24 17:09 hslatman

A CSR with the given SANs is created. A certificate template can be used to set the SANs from the CSR instead of the default ones for an OIDC provisioner, the email and the account URI. Example of the CSR request:

-----BEGIN CERTIFICATE REQUEST-----
MIH1MIGcAgEAMA4xDDAKBgNVBAMTA3ZwbjBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABFtRPVaIF1eAqNRfJB1JRLjnzn/x1yjUP95Yn0P3SO+Ex7s3w5PSaoorSIUH
/h9e/LIZl971y1/PfC8Y7TcwsNqgLDAqBgkqhkiG9w0BCQ4xHTAbMBkGA1UdEQQS
MBCCDnN0cm9uZ3N3YW4ubGFuMAoGCCqGSM49BAMCA0gAMEUCIQDEN2e6NC24tpSa
ZJJgD8wZIbrVgrzN/nxrIRSIlqqEigIgNrP2wrIqkz5HtCy3UqgS0uMXRyuzw5MU
7XD43qiveK4=
-----END CERTIFICATE REQUEST-----

maraino avatar Sep 24 '24 22:09 maraino