step-ca EAB auto-issuance failure and unclear EAB validation behavior #469
Unanswered
kimhanbeom
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
What I observed
EAB auto-issuance fails during
bootroot initandbootroot rotate eabOpenBao root token: [token value] Rotate ACME EAB credentials? [y/N]: y bootroot rotate failed details: Automatic EAB issuance failedACME endpoint behavior in step-ca
→ It seems that the EAB endpoint itself is not available.
Attempt to create EAB key via step-ca CLI
Result:
error creating ACME EAB key: this functionality is currently only available in Certificate Manager→ It appears that EAB key creation is not supported in the OSS version.
Runtime behavior verification
Set arbitrary EAB values in
agent.tomland ranbootroot-agent→ cert and keys were still issued successfully, which suggests that EAB values are not being validated in this flow.
Findings from documentation
From the official documentation and blog posts, it seems that EAB is not supported in step-ca OSS:
→ "This feature is available in Smallstep's commercial CA software."
→ "No support for ACME External Account Binding (EAB)"
→ "Our open source step ca certificate authority offering does not support EAB. EAB is for more advanced ACME use cases, and is only supported in our commercial offering"
Question
Based on the behavior above and Smallstep’s documentation, is it correct that bootroot currently cannot auto-issue ACME EAB credentials with step-ca OSS?
If this understanding is correct, it seems that one of the following approaches could be taken:
(1) disable or fail-fast the EAB auto-issuance path for this backend
(2) keep it but clearly document that EAB requires Smallstep Certificate Manager.
Beta Was this translation helpful? Give feedback.
All reactions