How to issue a new certificate on AWS EC2 instance that already had a cert issued? #1618

justas200 · 2023-11-13T14:44:27Z

justas200
Nov 13, 2023

Hi!

I am running an EC2 instance that I already have the SSH certificate issued to with the following command:

step ssh certificate $LOCAL_IP /etc/ssh/ssh_host_ecdsa_key.pub \
        --host --sign --provisioner "Amazon Web Services" \
        --principal $LOCAL_IP --principal $LOCAL_HOSTNAME \
        --token $STEP_TOKEN \
        --ca-url $CA_URL \
        --root $(step path)/roots.pem

However I now in the future want to add another principal. To do that I need to issue a new certificate. I have revoked the existing certificate with the command step ssh revoke <serial-number> and tried regenerating with the following commands:

STEP_TOKEN=$(step ca token $LOCAL_IP --ssh --host --provisioner "Amazon Web Services" --ca-url $CA_URL --root $(step path)/roots.pem)

step ssh certificate $LOCAL_IP /etc/ssh/ssh_host_ecdsa_key.pub \
        --host --sign --provisioner "Amazon Web Services" \
        --principal $LOCAL_IP --principal $LOCAL_HOSTNAME --principal $NEW_PRINCIPAL \
        --token $STEP_TOKEN \
        --ca-url $CA_URL \
        --root $(step path)/roots.pem

and I keep getting the error

"error":"authority.Authorize: authority.authorizeSSHSign: token already used"

Can anyone advise me on how I should proceed on issuing a new ssh cert on an ec2 instance that already has had an ssh cert issued in the past?

Answered by tashian

Nov 14, 2023

Because the Instance Identity Document that the AWS provisioner uses to authenticate your host certificate request is located at a URL accessible to anyone on the VM, the IID is treated as a single-use token by the CA when used to sign an SSH host certificate. You wouldn't want any user on your system (or, an attacker) to be able to mint more host certificates using that IID.

So, you'll need to use a different CA provisioner to issue this certificate. Since you're doing it manually, a JWK provisioner would be the simplest option for this. Hope this helps.

View full answer

tashian · 2023-11-14T03:22:56Z

tashian
Nov 14, 2023
Collaborator

Because the Instance Identity Document that the AWS provisioner uses to authenticate your host certificate request is located at a URL accessible to anyone on the VM, the IID is treated as a single-use token by the CA when used to sign an SSH host certificate. You wouldn't want any user on your system (or, an attacker) to be able to mint more host certificates using that IID.

So, you'll need to use a different CA provisioner to issue this certificate. Since you're doing it manually, a JWK provisioner would be the simplest option for this. Hope this helps.

1 reply

maraino Nov 14, 2023
Maintainer

After understanding the security risks, we also have the option of disabling TOFU using the setting disableTrustOnFirstUse set to true.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to issue a new certificate on AWS EC2 instance that already had a cert issued? #1618

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

How to issue a new certificate on AWS EC2 instance that already had a cert issued? #1618

justas200 Nov 13, 2023

Replies: 1 comment · 1 reply

tashian Nov 14, 2023 Collaborator

maraino Nov 14, 2023 Maintainer

justas200
Nov 13, 2023

Replies: 1 comment 1 reply

tashian
Nov 14, 2023
Collaborator

maraino Nov 14, 2023
Maintainer