Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Option to specify Provisioner Key locally #57

Open
FrediWeber opened this issue Jan 5, 2023 · 2 comments
Open

Add Option to specify Provisioner Key locally #57

FrediWeber opened this issue Jan 5, 2023 · 2 comments

Comments

@FrediWeber
Copy link

The documentation of step-ca specifies, that it is possible to use the JWK provisioner without the encryptedKey specified in ca.json and the user / system that wants to provision a certificate, needs to specify the key instead of just the password for the encryptedKey.
https://smallstep.com/docs/step-ca/provisioners#jwk

encryptedKey*: is the encrypted private key used to sign a token. It's a JWE compact string containing the JWK representation of the private key. This value is not necessary for CA operation, but is provided for the convenience of clients. Without the encryptedKey attribute, the private key must be provided by the client, using the --key flag.

Even though it should not pose a security risk to have the encryptedKey exposed in the /provisioner endpoint (because of the really strong encryption), it would be nice, if there would be a possibility to configure the provisioner with the key on the step-issuer side.

It should be possible, to specify the actual key and not just the password for the key in the same secret and specify the secret key in the provisioner config.
@dopey
Copy link
Contributor

dopey commented Jan 6, 2023

Hey @FrediWeber 👋. Thanks for opening the issue!

I believe this is already possible. When adding a JWK provisioner try doing step ca provisioner add with only the --public-key. Or, for an already created provisioner you can do step ca provisioner update example-jwk --private-key="".

Let me know if those options work for you.

@FrediWeber
Copy link
Author

Hi @dopey
Thank you very much for the quick response. It is possible on the step-certificate (step-ca) side to omit the encryptedKey but AFAIK not on the step-issuer side inside the Kubernetes cluster.
So when I'm not configuring the encryptedKey in the provisioner config on the step ca, I should have to configure it on the client side (step-issuer) inside the Kubernetes cluster. Looking at the code and the CRDs of the issuer config I can't see, how I would do that. I'm just able to provide a password for the encryptedKey.
We're using the step-issuer in the Kubernetes cluster only as a cert-manager extension/plugin to provision new certificates signed by a step-ca running outside the cluster.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dopey @FrediWeber