How to get root_ca, intermediates, fingerprint?

[chilcano]

Hi there,
I've ran through this PoC and I've already deployed on AWS and now I would like to explore the App. I haven't got problems using Chrome/Firefox to browse https://web.emojivoto.local. In fact, I had this alert NET::ERR_CERT_AUTHORITY_INVALID as expected. But now I want to use cURL and step cli however I think there are some missed previous steps.

In order to use curl, browser and step cli we need root and intermediate certs. How to get them?
According the Quickstart - Step 6. Get the root certificate from Step CA executing step ca root root.crt is enough, but it isn't. Then, I tried to obtain them through step cli with --ca-url, however the --fingerprint param is also needed. What are these values?, how to get that?

ubuntu@ca:~$ step ca root root_ca.crt --ca-url https://localhost:443
'step ca root' requires the '--fingerprint' flag

The /usr/local/lib/step/config/ca.json shows the path for these certs. Using the ca.json is the right way to get them?.

Hope you can help me.
Regards.

[mmalone]

You can run step certificate fingerprint ~/.step/certs/root_ca.crt on your CA to get the fingerprint. Hope this helps!

[chilcano]

Thanks @mmalone
If I have access to CA host, I could already download the root_ca.crt directly and then running step ca root root_ca.crt --ca-url https://localhost:443 --fingerprint xxxxx is not longer necessary.
Are the certificates (root and intermediates) available to download from a public area/page/URL of the CA? Like other CAs do (EJBCA, DogTag, CFSSL, ...)

Kind regards.

[mmalone]

Yes, you can download the certificate from https://<ca-url>/root/<root-fingerprint>. The idea is that you'll hardcode the CA fingerprint in the clients. The fingerprint is used to verify that you've downloaded the expected root CA cert. It's a security feature.

The easiest way to download the root cert on a client is to use the step CLI:

step ca root root_ca.crt --ca-url https://<ca-url> --fingerperint <fingerprint>

This does a couple things:

1. Downloads the root cert using TLS with certificate validation disabled
2. Computes a fingerprint for the downloaded cert & checks it against the provided fingeprint
3. Runs certificate validation for the leaf cert from the TLS connection in step 1

It's a secure root download function.

We've also started building a mechanism for securely downloading the root certificate by bootstrapping off of a publicly trusted web PKI certificate. We use this for step ssh config but it hasn't made its way into the step ca command group yet.

If other CAs do this some other way that you like better I'd be curious to learn more.

[chilcano]

Thanks @mmalone.
I'm going to run a workshop using this repo (step-aws-emojivoto) for multiple users (> 10) and need tweak the Terraform code and improve the information to make it easier to them.
I appreciate your answer. This information is useful to accomplish that.
Kind regards.