Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for --admin-kms in step ca provisioner subcommands #1250

Open
tashian opened this issue Aug 5, 2024 · 3 comments
Open

Support for --admin-kms in step ca provisioner subcommands #1250

tashian opened this issue Aug 5, 2024 · 3 comments
Assignees
@maraino
Labels
enhancement roadmap
Milestone
Backlog

Comments

@tashian
Copy link
Contributor

tashian commented Aug 5, 2024
edited
Loading

For CA administrative functions, it would be nice to be able to use a KMS-bound key.

This enables a flow where a YubiKey could be used to admin the CA, using an admin cert acquired via ACME DA.
@tashian tashian added enhancement needs triage Waiting for discussion / prioritization by team labels Aug 5, 2024
@hslatman hslatman added roadmap and removed needs triage Waiting for discussion / prioritization by team labels Aug 6, 2024
@hslatman hslatman added this to the Backlog milestone Aug 6, 2024
@andsens
Copy link

andsens commented Nov 15, 2024
edited
Loading

If I understand your request correctly this is already possible by using an x5c key and certificate as provisioner credentials that point to the yubikey with a kms url.

@hslatman
Copy link
Member

I believe what @tashian wants is to be able to use a KMS URI instead of specifying the credentials from disk for administrative operations that require our ca.AdminClient: https://github.com/smallstep/cli/blob/master/utils/cautils/client.go#L99-L197. At the moment it assumes the cert/key are always read from disk.

@andsens
Copy link

andsens commented Nov 15, 2024
edited
Loading

Oh, in that case I have the exact same issue. Thing is, when using kms backed keys (tpm in my case), step ca token --ssh|--revoke|--rekey work, but step ca token --renew does not. Neither does step ca renew:
image

Nevermind. I misunderstood the issue. Created a separate one here #1314

@hslatman hslatman assigned hslatman and maraino and unassigned hslatman Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
enhancement roadmap
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@tashian @andsens @maraino @hslatman