Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intro templates to allow x509 cert flexibility [L] #300

Closed
4 tasks done
sourishkrout opened this issue Jun 24, 2020 · 9 comments · Fixed by #312
Closed
4 tasks done

Intro templates to allow x509 cert flexibility [L] #300

sourishkrout opened this issue Jun 24, 2020 · 9 comments · Fixed by #312
Assignees
@maraino
Labels
cert-flex enhancement

Comments

@sourishkrout
Copy link
Contributor

sourishkrout commented Jun 24, 2020
edited by mmalone
Loading

  • functionality for x509
  • test suite for x509
  • step certificate create --create
  • Incorporate feedback

(cli changes not covered in here)

Breakdown:

  1. Go from CSR/attributes denylist to allowlist for CA
  2. Can we use template as de facto whitelist?
@maraino
Copy link
Contributor

maraino commented Jun 24, 2020

@mkkeffeler in Gitter requested if it's is possible to add extra SANs not present in the CSR. For example, the JWK token can have the SANs foo.bar, foo.zar but the CSR won't have any.

@TheSecMaven
Copy link
Contributor

This is a must have that @maraino mentioned because lots of clients don't know how to request SANS easily in their CSRs, so in the spirit of making TLS easier this would be a HUGE feature add.

@dopey dopey mentioned this issue Jun 25, 2020
Closed
@TheSecMaven
Copy link
Contributor

Also related to #45 which was closed in favor of this

@dwchurch
Copy link

dwchurch commented Jul 6, 2020

this is helpful because we often need to add specific things that our clients don't know to add

@alogishetty
Copy link

This would be very helpful to have this!

@nhogan5
Copy link

nhogan5 commented Jul 6, 2020

We need this too! Would stream line our client on-boarding process tremendously.

@alexw19
Copy link

alexw19 commented Jul 6, 2020

Would like to see this implemented. Would be very helpful!

@maraino maraino mentioned this issue Jul 8, 2020
Merged
@TheSecMaven
Copy link
Contributor

TheSecMaven commented Jul 10, 2020
edited
Loading

An additional use case is for adding EMAIL contacts to ACME certificates. IP and DNS sans definitely need to be validated against standard ACME protocol, but email contacts should be able to be added to an ACME certificate

-bash-4.2$ sudo step ca certificate test:10443 foo.crt foo.key --provisioner=my-acme-provisioner --http-listen :10443 --standalone --kty RSA --san testemail@gmail.com
✔ Provisioner: my-acme-provisioner (ACME)
IP Address and Email Address SANs are not supported for ACME flow
-bash-4.2$

@sourishkrout sourishkrout changed the title Intro templates to allow cert flexibility [L] Intro templates to allow x509 cert flexibility [L] Jul 22, 2020
@maraino
Copy link
Contributor

maraino commented Aug 14, 2020

X.509 templates functionality is currently in the master branch of certificates. The cli part will be there soon.
This will be officially released probably next week with v0.15.0 while ssh-certificates will probably come with v0.15.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
cert-flex enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Certificate flexibility smallstep/certificates
8 participants
@sourishkrout @maraino @dopey @TheSecMaven @alogishetty @alexw19 @nhogan5 @dwchurch