Fix issues with Vault RA mode instructions

smallstep · Sep 21, 2023 · 60291ad · 60291ad
1 parent 69f0386
commit 60291ad
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/step-ca/registration-authority-ra-mode.mdx b/step-ca/registration-authority-ra-mode.mdx
@@ -521,7 +521,7 @@ Run:
 
 ```bash
 VAULT_URI=http://127.0.0.1:8200
-VAULT_CA_FINGERPRINT=$(step certificate fingerprint `step path`/certs/root_ca.crt)
+VAULT_CA_FINGERPRINT=$(step certificate fingerprint root_ca.crt)
 cat <<< $(jq --arg vault_role_id "$VAULT_ROLE_ID" \
             --arg vault_secret_id "$VAULT_SECRET_ID" \
             --arg vault_uri "$VAULT_URI" \
@@ -581,6 +581,17 @@ Here are the `config` options for `vaultcas` authorities:
 
   - **tokenPath**: [authType=`kubernetes`] the path to a token used to authenticate (default to the service account token path in a k8s pod)
 
+Finally, remove the `"root"`, `"key"`, and `"crt"` values from your `$(step path)/config/ca.json`, and the associated files. These are generated by `step ca init` but are not used by RA servers.
+
+Run:
+
+```
+cat <<< $(jq 'del(.key, .crt, .root)' `step path`/config/ca.json) > $(step path)/config/ca.json
+rm $(step path)/certs/root_ca.crt $(step path)/certs/intermediate_ca.crt $(step path)/secrets/intermediate_ca_key
+```
+
+Your RA server will read your root from Vault when it starts up.
+
 #### 6. Start your RA server
 
 ```bash