step certificate lint errors on out-of-the-box certs

[MacWeber]

I have initialized a new PKI using step ca init, and I realize the certs do not pass the tests of step certificate lint.
Some of these errors may be false positives, such as e_ca_country_name_missing, which I believe to not be a value needed in a valid certificate.
Other errors listed could be fixed by having the default values set in the CA initialization and/or the default certificate generation process.

Here are the outputs:

• root cert:

$ step certificate lint $STEPPATH/certs/root_ca.crt | grep error -B1
  "e_ca_country_name_missing": {
   "result": "error"
--
 "warnings_present": true,
 "errors_present": true,

• intermediate cert:

$ step certificate lint $STEPPATH/certs/intermediate_ca.crt | grep error -B1
  "e_ca_country_name_missing": {
   "result": "error"
--
  "e_sub_ca_aia_does_not_contain_ocsp_url": {
   "result": "error"
--
  "e_sub_ca_aia_missing": {
   "result": "error"
--
  "e_sub_ca_certificate_policies_missing": {
   "result": "error"
--
  "e_sub_ca_crl_distribution_points_missing": {
   "result": "error"
--
 "warnings_present": true,
 "errors_present": true,

• leaf cert:

$ step certificate lint leaf.crt | grep error -B1                           
  "e_dnsname_contains_bare_iana_suffix": {
   "result": "error"
--
  "e_sub_cert_aia_does_not_contain_ocsp_url": {
   "result": "error"
--
  "e_sub_cert_aia_missing": {
   "result": "error"
--
  "e_sub_cert_cert_policy_empty": {
   "result": "error"
--
  "e_sub_cert_certificate_policies_missing": {
   "result": "error"
--
 "warnings_present": true,
 "errors_present": true,

It would be nice to issue the certificates with no errors/warning messages by default, or at least have some documentation for fixing these expected errors/warning messages.

[maraino]

Hi @MacWeber, the lint functionality is mainly intended for Web PKI, the public web, not an internal one like step-ca is used for. But it is possible to alleviate some of those errors or warnings with templates.

If you create the root and intermediates yourself using step certificate create with a template that contains some of the recommended fields like the subject.country. Others, like OCSP, are only supported in our commercial offering, but there are ways to convert a CRL that is supported to an OCSP responder, so you can implement those and set the proper template. The CRL is supported for leaf certificates only, but it is not enabled as default, but if enabled, leaf certificates will have the extension. All provisioners also support templates, so adding those there is possible, but the default templates don't do it. Others, like the policy ones, although they can be added through templates, are specifically for Web PKI.

[MacWeber]

@maraino thank you for letting me know how to mitigate some of these messages. I will play with the templates once I handle other priorities on my list.