cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

`step ca renew` command could provide clearer output for non-client auth certs

Open tashian opened this issue 3 years ago • 1 comments

If renewal is attempted with a non-"client auth" cert, the client returns a "tls: bad certificate error", because the mutual TLS handshake fails. The client should output a more useful note. For example:

Because `step ca renew` uses mutual TLS authentication with step-ca, only certificates marked with Client Authentication extended key usage can be renewed. Consider using `step ca certificate` to rekey and request a new certificate.

tashian avatar Mar 29 '22 19:03 tashian

Look at the certificate and if there's no client auth, attempt to use the token method (used for renew-after-expiry). Either get rid of the mTLS method or allow users to force the token method. Or allow you to force mTLS.

Option 1)

  • Token method by default
  • mTLS mechanism can be forced

dopey avatar Mar 30 '22 17:03 dopey