Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: v0.25.0 causes error (error reading <kms_id/alias>: no such file or directory) when signing intermediate CA certificate w/ AWS KMS #1041

Closed
ianhundere opened this issue Oct 18, 2023 · 3 comments
Closed

[Bug]: v0.25.0 causes error (error reading <kms_id/alias>: no such file or directory) when signing intermediate CA certificate w/ AWS KMS #1041

ianhundere opened this issue Oct 18, 2023 · 3 comments
Assignees
@maraino
Labels
bug
Milestone
v0.25.1

Comments

@ianhundere
Copy link

ianhundere commented Oct 18, 2023
edited
Loading

Steps to Reproduce

We are currently using 0.24.4 of step-cli because there's an issue with v0.25.0 that causes the following error when trying to sign an intermediate CA certificate:

error reading <kms_id/alias>: no such file or directory

^ example of command being run:
step certificate create --template intermediate.tpl --not-after 876000h --kms 'awskms:region=us-east-1' --ca root_ca.crt --ca-key 'awskms:key-id=alias/<root_ca_kms_alias>' --key 'awskms:key-id=alias/<intermediate_ca_kms_alias>' "Intermediate CA" intermediate_ca.crt

Your Environment

  • OS - macos 14.0 (23A344)
  • step CLI Version - v0.25.0

Expected Behavior

output should be Your certificate has been saved in intermediate_ca.crt.

Actual Behavior

error reading <kms_id/alias>: no such file or directory

Additional Context

intermediate.tpl

{
  "subject": {
    "commonName": "test"
  },
  "issuer": {
    "commonName": "test"
  },
  "keyUsage": [
    "certSign",
    "crlSign"
  ],
  "extKeyUsage": [
    "CodeSigning"
  ],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 0
  }
}

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@ianhundere ianhundere added bug needs triage Waiting for discussion / prioritization by team labels Oct 18, 2023
@hslatman hslatman added this to the v0.25.1 milestone Oct 24, 2023
@maraino
Copy link
Collaborator

maraino commented Oct 25, 2023

Hi @ianhundere, the problem here is that this version introduced the --ca-kms flag (PR #942) to allow cross-kms signs, and it is required if your CA key is in a KMS.

This command should work:

step certificate create --template intermediate.tpl --not-after 876000h\
  --kms 'awskms:region=us-east-1' \
  --ca-kms 'awskms:region=us-east-1' \
  --ca root_ca.crt --ca-key 'awskms:key-id=alias/<root_ca_kms_alias>' \
  --key 'awskms:key-id=alias/<intermediate_ca_kms_alias>' \
  "Intermediate CA" intermediate_ca.crt

@maraino maraino closed this as completed Oct 25, 2023
@maraino maraino removed the needs triage Waiting for discussion / prioritization by team label Oct 25, 2023
@ianhundere
Copy link
Author

@maraino ah, sorry for the oversight / thanks for pointing that out.

@maraino
Copy link
Collaborator

maraino commented Oct 25, 2023

Don't worry, we don't have an easy way to announce those breaking changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
bug
Projects
None yet
Milestone
v0.25.1
Development

No branches or pull requests
3 participants
@ianhundere @maraino @hslatman