cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Parameters `--cert-not-after` and `--cert-not-before` of `step ca token` for non-ssh certificates

Open PreterPant opened this issue 8 months ago • 2 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The documentation states that the parameters --cert-not-after and --cert-not-before of step ca token are only supported on SSH certificates. Those options would be very helpful for x509 certificates as well.

Question is, if the documentation on this is even correct, since it was raised in #1065 under (2) that the code might work for certificates other then ssh.

Why is this needed?

If you issue one time tokens to third party to enroll for a certificate, it would be desireable to be able to enforce a certificate runtime lower then the maximum allowed runtime. Since the redeeming of the token would not happen in a controlled environment, the restriction would best be baked into the token to be handled by the server. Thus allowing a provisioner to have a higher max for some tokens.

PreterPant avatar Apr 16 '25 14:04 PreterPant

Hi @PreterPant,

I've created a pull request that adds support for the --cert-not-before and --cert-not-after flags for X.509 certificates in the step ca token command.

You can find the PR here

alvidofaisal avatar May 31 '25 20:05 alvidofaisal

I do not have time to test this at the moment, sorry :/ Thank you very much for picking this up :)

PreterPant avatar Jun 10 '25 14:06 PreterPant