-
Notifications
You must be signed in to change notification settings - Fork 441
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to have multiple Intermediate Certs #186
Comments
Related: smallstep/cli#213 |
Duplicate / Related to #87. |
Yes. Being able to select the intermediate (or rather chain of intermediates to be able to ship it with the issued leaf if I understood #440 correctly) a provisioner uses would be nice. |
Unfortunately I can't find any doc on how to use #440 functionality. |
As far as I can tell, #440 is only about having multiple intermediates in a single chain, not about having multiple/per-provisioner chains (which is this issue). |
@voanhduy1512 @AluisioASG is correct. #440 allows |
So just to confirm I understand this right, the ability to sign certs with one subordinate CA for a provisioner, and a different subordinate CA for another provisioner, is not currently possible? Any thoughts as to how that would be enabled, if someone was able to work on it? |
Hey Miclain, Correct. That's not currently possible. Hypothetically, I could see the intermediate signing key / certificate configured on a per-provisioner basis. Practically, there are a bunch of little complications & details that need to be sorted out to get that to work. It needs to be done in a way that doesn't complicate the user experience for more typical use cases. I think we'd need a thorough design document that we could stare at before we can even size this one. At the moment, it's not on the top of the priority list. Internally, we have a piece of technology that runs many instances of I encourage anyone in the community who wants this feature implemented to express interest here by giving the issue a thumbs up or, even better, responding with a brief description of their use case / requirements to help us prioritize. |
Thanks for the thoughts. I agree that this certainly wouldn't be the normal, to me it seems like an "override" because you are saying you want to use a specific signing authority for this provisioner, but not others. I took a swag at getting this working, and it looks somewhat low code. The idea is simple, provide options in the provisioner that allow one to override the signing CA for that provisioner only. Otherwise, use the default signing authority used everywhere else. For my example, this looked like
Where the special sauce is Works like a charm for me with the simplest use case (signing a cert with JWK), obviously would still need to flesh out renew/revoke and others if the method outlined above was acceptable. Would love thoughts on the idea, and whether people think it keeps the use case simple. Very rough just to prove the use case, but here was the hardest part where IF an override was defined, we have to create the new key manager on the fly https://github.com/mkkeffeler/certificates/blob/byProvisionerSigningAuthority/cas/softcas/softcas.go#L77 |
My reluctance with accepting file params for an alternative signer is that we'll be opening ourselves up to accept all the different signer types that we accept for the intermediate key. The intermediate key can be delivered as a file on disk, cloud HSM, physical HSM ... I assume that if we're going to support an alternative signer per provisioner then it needs to be a first class citizen and support all the existing signer types. |
Yea, we'd definitely want to support the different signer types. As an MVP, I get what you did here. This does look like the lightest-weight thing that could be done to deliver the core functionality you're after. But, in this case, that's the easy part. I'm more concerned about how this would interact with things like renewal ( I don't think there are any dealbreakers in all of this... there's just a lot of little stuff. Enough little stuff that I wonder whether it'd be better / easier to understand to just have two authorities. FYI, we do have some ongoing work around "contexts", which let you configure the CLI to connect to multiple authorities and switch between them more naturally (e.g., you can run |
Will this be implemented? Now, there is no way to sign CSR with different intermediate certs. |
Hi @sergeysedoy97, this feature is not on our short-term road map. The current best option is to run a CA for each intermediate. It's now easier to manage this on the client side, since the the |
@tashian could I run one
There is |
@sergeysedoy97 You'd need to run multiple instances of |
This would be super useful in securing access to a Kubernetes cluster when combined with kube-apiserver X.509 client certificates ( |
It would be handy to have an easy way of generating intermediate certificates after the ca init step and then choose which one to sign with when generating certs (maybe by provisioner).
Not everything can do online renewal and obey the standards enforced so having a shorter lived intermediate for signing this legacy stuff would be super useful. A lot of devices also don't support the proper cert chain so I'm having to distribute the intermediate cert with the root cert to clients and I'd rather keep that separate from the intermediate doing online provisioning.
The text was updated successfully, but these errors were encountered: