smallstep
"step ca certificate" works with PKCS11
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Now we want to generate the leaf certificate by the "step ca certificate", and hope it can use the private key in the TPM2.0 via PKCS11 which created by the "step-kms-plugin". But we failed, when we used such a command "step ca certificate 10.72.1.101 /etc/nginx/conf.d/certs/nginx-0620.crt pkcs11:id=10000000 --token a-token --ca-url=https://192.168.51.101:6000 --root=/etc/nginx/conf.d/certs/root_ca.crt" , and expect to generate a certificate and no private file cause the private key exists in the KMS URI, but actually there genetate a private key which file name was "pkcs11:id=10000000", and the content of the file exactly is a private key, it seems the KMS parameter was not useful, and can't use the private key which existed in the TPM 2.0.
Why is this needed?
We want to use TPM 2.0 to protect our CA private key as the same as the leaf private key.
Suppliment, I found it was supported with "step certificate create" and "step ca renew", so it should also support with "step ca certificate" , is there have something wrong with my usage? See also #1353
And when I tried to use "step ca renew" to renew a certificate created by "step certificate create" both via KMS, it failed as well,
It seems "step ca renew" must work with "step ca certificate".
When I try to renew with a certificate which generated by "step certificate create" by following command ``` step ca renew --kms 'pkcs11:module-path=/usr/local/lib/libtpm2_pkcs11.so;token=mykey?pin-value=Obcu@ca' --force --ca-url=https://192.168.51.101:6000 --root /etc/nginx/conf.d/certs/root_ca.crt nginx-tpm.crt pkcs11:id=10000000;object=obcuca
the console shows like this
error validating renew token Re-run with STEPDEBUG=1 for more info. github.com/smallstep/cli/command/ca.(*renewer).Renew github.com/smallstep/cli/command/ca/renew.go:484 github.com/smallstep/cli/command/ca.renewCertificateAction github.com/smallstep/cli/command/ca/renew.go:341 github.com/smallstep/cli/command/ca.renewCertificateCommand.ActionFunc.func1 github.com/smallstep/[email protected]/command/command.go:38 github.com/urfave/cli.HandleAction github.com/urfave/[email protected]/app.go:522 github.com/urfave/cli.Command.Run github.com/urfave/[email protected]/command.go:175 github.com/urfave/cli.(*App).RunAsSubcommand github.com/urfave/[email protected]/app.go:405 github.com/urfave/cli.Command.startApp github.com/urfave/[email protected]/command.go:380 github.com/urfave/cli.Command.Run github.com/urfave/[email protected]/command.go:103 github.com/urfave/cli.(*App).Run github.com/urfave/[email protected]/app.go:277 main.main ./main.go:73 runtime.main runtime/proc.go:283 runtime.goexit runtime/asm_amd64.s:1700
After all, I used "step certificate create --csr" firstly, then used "step ca sign" to sign for a leaf certificate for nginx, and then it worked well with "step ca renew".
so when via PKCS11, if want to use "step certificate create" generate a new certificate one-step, it still can not successful, because the command can not reference the pricate key in PKCS11 URI.