- By default, the `X5C` provisioner will issue a certificates for
any Subject names.
- If you want to limit or modify the subject names this provisioner will issue,
+ By default, the `X5C` provisioner will issue certificates for
any Subject names.
+ If you wish to restrict or modify the subject names that this provisioner can issue,
you can use a
certificate template.
For example, say your users will use the X5C provisioner to exchange an X.509 client certificate for an SSH user certificate.
@@ -823,9 +828,11 @@ with the `name` or any of the `ips` appearing on the Nebula client certificate.
To be clear, Nebula certificates can contain a single `name` and a list of `ips`.
The `name` field is often a DNS hostname, but it could be an email, IP, or URI.
And `ips` contains a list of CIDR blocks.
+
In `step-ca`, the Nebula provisioner will authorize certificate subjects or SANs
that include the `name`, plus IPs in any of the CIDR blocks in `ips` on the Nebula certificate.
+#### Create a Nebula Provisioner
To create a Nebula provisioner, run:
```shell
@@ -847,7 +854,7 @@ step ca certificate host3.example.com host3.crt host3.key \
### SSHPOP - SSH Certificate
An SSHPOP provisioner allows a client to renew, revoke, or rekey an SSH
-certificate using that certificate for authentication with the CA.
+certificate using same SSH certificate for authentication with the CA.
However, the renew and rekey operations are limited to SSH host certificates only.
An SSHPOP provisioner is configured with the user and host root ssh certificates
@@ -860,16 +867,15 @@ header that contains the SSH certificate.
When configured with the `--ssh` option (i.e, `step ca init --ssh`),
the CA will contain a default SSHPOP provisioner named `sshpop`.
-#### Example: Add an SSHPOP provisioner:
+#### Create an SSHPOP provisioner:
To create an SSHPOP provisioner, run:
-
```shell
step ca provisioner add sshpop --type SSHPOP
```
-An example SSHPOP provisioner in `ca.json`:
+Here's an example SSHPOP provisioner in `ca.json`:
```json
...
@@ -886,6 +892,7 @@ An example SSHPOP provisioner in `ca.json`:
}
}
```
+And, here's what each property stands for:
* **type**: indicates the provisioner type and must be `SSHPOP`.
@@ -917,7 +924,7 @@ and client certificates via the `device-attest-01` challenge type.
The ACME provisioner in `step-ca` supports issuing X.509 certificates using IP, hostname, and device identifiers.
-#### Example: Add an ACME provisioner
+#### Create an ACME provisioner
To add an ACME provisioner:
@@ -959,6 +966,8 @@ An example of an ACME provisioner in the `ca.json`:
}
```
+And, here's what each property stands for:
+
* **type**: indicates the provisioner type and must be `ACME`.
* **name**: a string used to identify the provider when the CLI is
@@ -1084,7 +1093,9 @@ and clients are authenticated to the CA using a shared secret.
#### Requirements
-Your CA must use an RSA intermediate CA, even if your client supports ECDSA.
+To create a SCEP provisioner on your CA,
+your CA must use an RSA intermediate CA,
+even if your client supports ECDSA.
The RSA intermediate is used to decrypt the contents of the SCEP `pkcsPKIEnvelope` containing the certificate request.
This operation cannot be performed using an ECDSA key.
@@ -1126,15 +1137,19 @@ Here's an example of a SCEP provisioner in `$(step path)/config/ca.json`:
}
```
-- The `forceCN` parameter is optional.
-It behaves the same as `forceCN` in the ACME provisioner, and it defaults to false.
-- `challenge` is the secret shared between the provisioner and SCEP clients. By default no secret is used.
-- The `minimumPublicKeyLength` parameter can be used to set the minimum length of public keys submitted by a client. Defaults to 2048.
-- When `includeRoot` is set to true, the root CA certificate will be returned in responses to `GetCACert` requests in addition to the intermediate CA certificate. This option was added to support a specific use case for the macOS SCEP client (see [certificates#746](https://github.com/smallstep/certificates/issues/746) for more details). Defaults to false.
-- The `encryptionAlgorithmIdentifier` parameter can be used to change the [encryption algorithm](https://github.com/smallstep/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63) used for encrypting the request content. Defaults to 0: `DES-CBC` for legacy compatibility.
+And, here's what each property stands for:
-If you don't want to rely on a single, static secret, you can [configure a `SCEPCHALLENGE` webhook](./webhooks.mdx#x509-request-body) instead.
-When a SCEP client requests a certificate, the webhook server will receive a request with the `scepChallenge` and `scepTransactionID` properties from the SCEP request.
+- **`forceCN`**: parameter is optional.
+It behaves the same as `forceCN` in the ACME provisioner, and it defaults to false.
+- **`challenge`**: is the secret shared between the provisioner and SCEP clients. By default no secret is used.
+- **`minimumPublicKeyLength`**: parameter can be used to set the minimum length of public keys submitted by a client. Defaults to 2048.
+- **`includeRoot`**: is set to true, the root CA certificate will be returned in responses to `GetCACert` requests in addition to the intermediate CA certificate. This option was added to support a specific use case for the macOS SCEP client (see [certificates#746](https://github.com/smallstep/certificates/issues/746) for more details). Defaults to false.
+- **`encryptionAlgorithmIdentifier`**: parameter can be used to change the [encryption algorithm](https://github.com/smallstep/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63) used for encrypting the request content. Defaults to 0: `DES-CBC` for legacy compatibility.
+
+If you don't want to rely on a single, static secret,
+you can [configure a `SCEPCHALLENGE` webhook](./webhooks.mdx#x509-request-body) instead.
+When a SCEP client requests a certificate,
+the webhook server will receive a request with the `scepChallenge` and `scepTransactionID` properties from the SCEP request.
The webhook server can then decide if the request is allowed or not.
#### Enable the HTTP Server
@@ -1164,27 +1179,28 @@ A K8sSA provisioner allows a client to request a certificate from the server
using a Kubernetes Service Account Token.
As of the time when this provisioner was coded, the Kubernetes Service Account
-API for retrieving the token from a running instance was still in beta. Therefore,
+API for retrieving a token from a running instance was still in beta. Therefore,
our K8sSA provisioner must be configured with the public key that will be used
to validate K8sSA tokens.
-K8sSA tokens are very minimal. There is no place for SANs, or other details that
-a user may want validated in a CSR. It is essentially a bearer token. Therefore,
-at this time a K8sSA token can be used to sign a CSR with any SANs. Said
-differently, the **K8sSA provisioner does little to no validation on the CSR
+K8sSA (Kubernetes Service Account) tokens can only hold very minimal information,
+and do not provide a place to specify SANs or other details
+that users may want validated in a Certificate Signing Request (CSR).
+This means that a K8sSA token can be used to sign a CSR with any SANs,
+as the **K8sSA provisioner does little to no validation on the CSR
before signing it**. You should only configure and use this provisioner if you
know what you are doing. If a malicious user obtains the private key they will
-be able to create certificates with any SANs and Subject.
+be able to create certificates with any SANs or Subject.
-#### Example
+#### Create a K8sSA provisioner
-Add a K8sSA provsioner:
+To add a K8sSA provsioner, run:
```shell
step ca provisioner add my-kube-provisioner --type K8sSA --pem-keys key.pub
```
-An example of a K8sSA provisioner in the `ca.json`:
+Here's an example of a K8sSA provisioner in the `ca.json`:
```json
...
@@ -1203,6 +1219,7 @@ An example of a K8sSA provisioner in the `ca.json`:
}
}
```
+And, here's what each property stands for:
* **type**: indicates the provisioner type and must be `K8sSA`.
@@ -1221,8 +1238,10 @@ see the [claims](configuration.mdx#claims) section for all the options.
## Cloud Provisioners
-`step-ca` can be configured to use instance identity documents (IIDs) to authorize certificate signing requests from cloud VMs running on AWS, GCP, or Azure.
-IIDs are signed JSON tokens, created when the instance is launched, and made available via the instance metadata API.
+`step-ca` can be configured to use instance identity documents (IIDs)
+to authorize certificate signing requests from cloud VMs running on AWS, GCP, or Azure.
+IIDs are signed JSON tokens, created when the instance is launched,
+and made available via the instance metadata API.
Here's the contents of an example IID from AWS:
@@ -1308,7 +1327,7 @@ The [`step`](https://github.com/smallstep/cli) CLI will generate a custom JWT
token containing the instance identity document and its signature and the CA
will grant a certificate after validating it.
-#### Example
+#### Create an AWS Provisioner
Find your AWS [account ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html) to restrict access to our VMs:
@@ -1342,6 +1361,8 @@ In the `ca.json`, an AWS provisioner looks like:
}
```
+And, here's what each property stands for:
+
- **type**: indicates the provisioner type and must be `AWS`.
- **name**: a string used to identify the provider when the CLI is
@@ -1375,7 +1396,7 @@ The GCP provisioner grants certificates to Google Compute Engine instance using
its [identity](https://cloud.google.com/compute/docs/instances/verifying-instance-identity)
token. The CA will validate the JWT and grant a certificate.
-#### Example
+#### Create a GCP Provisioner
On the host running `step-ca`, add an GCP provisioner to your configuration by running:
@@ -1409,6 +1430,8 @@ In the `ca.json`, a GCP provisioner looks like:
}
```
+And, here's what each property stands for:
+
- **type**: indicates the provisioner type and must be `GCP`.
- **name**: a string used to identify the provider when the CLI is used.
@@ -1446,7 +1469,7 @@ The Azure provisioner grants certificates to Microsoft Azure instances using
the [managed identities tokens](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token).
The CA will validate the JWT and grant a certificate.
-#### Example
+#### Create an Azure Provisioner
On the host running `step-ca`, add an Azure provisioner to your configuration by running:
@@ -1479,6 +1502,8 @@ In the `ca.json`, an Azure provisioner looks like:
}
```
+And, here's what each property stands for:
+
- **type**: indicates the provisioner type and must be `Azure`.
- **name**: a string used to identify the provider when the CLI is used.
From efd82d9ac31a313db312b4fcc77f48f77051a79c Mon Sep 17 00:00:00 2001
From: Linda Ikechukwu <32891838+Linda-Ikechukwu@users.noreply.github.com>
Date: Thu, 25 May 2023 13:50:33 +0100
Subject: [PATCH 3/7] Update step-ca/provisioners.mdx
Co-authored-by: Carl Tashian
---
step-ca/provisioners.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index 3e948643..426ac853 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -75,7 +75,7 @@ and can be configured in the OIDC provisione
To illustrate how to interpret this table, let's take the `JWK` and `SSHPOP` provisioner.
A `JWK` provisioner _can_ sign, renew, and revoke X.509 certificates, as well as sign user and host SSH certificates.
-However, it _cannot_ renew or rekey SSH certificates.
+However, it _cannot_ renew SSH user certificates.
On the other hand, an `SSHPOP` provisioner _can_ revoke and rekey SSH certificates
and renew SSH host certificates.
From 2736735530d37620a26ad15148483ae35c372e5f Mon Sep 17 00:00:00 2001
From: Linda Ikechukwu <32891838+Linda-Ikechukwu@users.noreply.github.com>
Date: Thu, 25 May 2023 15:21:46 +0100
Subject: [PATCH 4/7] Update step-ca/provisioners.mdx
Co-authored-by: Carl Tashian
---
step-ca/provisioners.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index 426ac853..dccb96eb 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -260,7 +260,7 @@ An administrator is just a subject name and a provisioner name.
You can authenticate as an administrator via the authentication scheme of the provisioner.
For example, for the default JWK provisioner, running administrative commands in `step` will prompt for the provisioner password.
-***Tip: Single Sign-On (SS0) can be used for Admin users.***
+***Tip: Single Sign-On (SSO) can be used for Admin users.***
To enable CA administration via SSO, follow these steps:
1. Add an [OIDC provisioner](#oauthoidc-single-sign-on) linked to your identity provider.
From 0b05934318db8758650f6e40d3299d2eb154f2b8 Mon Sep 17 00:00:00 2001
From: Linda Ikechukwu <32891838+Linda-Ikechukwu@users.noreply.github.com>
Date: Thu, 25 May 2023 15:22:05 +0100
Subject: [PATCH 5/7] Update step-ca/provisioners.mdx
Co-authored-by: Carl Tashian
---
step-ca/provisioners.mdx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index dccb96eb..640fcf3e 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -1085,8 +1085,8 @@ To get a client certificate for a hardware-bound private key on your YubiKey:
The SCEP provisioner can sign and renew certificates
using the Simple Certificate Enrollment Protocol SCEP protocol (SCEP) ([RFC8894](https://datatracker.ietf.org/doc/html/rfc8894)).
-SCEP is popularly used for certificate management,
-particularly in network equipment and mobile device management (MDM).
+SCEP is commonly used for certificate management
+in network equipment and mobile device management (MDM).
It runs over HTTP and uses POSTed binary data or base64-encoded GET parameters,
with CMS (PKCS#7) and CSR (PKCS#10) data formats,
and clients are authenticated to the CA using a shared secret.
From 717283928f78b2f4c993cddb2732659104abbb1b Mon Sep 17 00:00:00 2001
From: Linda Ikechukwu <32891838+Linda-Ikechukwu@users.noreply.github.com>
Date: Thu, 25 May 2023 15:55:39 +0100
Subject: [PATCH 6/7] Update provisioners.mdx
---
step-ca/provisioners.mdx | 52 ++++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 23 deletions(-)
diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index 426ac853..af1994ef 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -86,37 +86,41 @@ It's important to understand the capabilities and limitations when selecting a
provisioner for a given workload.
## Provisioner Management
+By default, provisioner configurations reside in the `$(step path)/config/ca.json` file.
+However, if Remote Provisioner Management is enabled,
+provisioner configurations are stored in the database instead of `ca.json`,
+while the global CA configuration remains in `ca.json`.
+
+Remote Provisioner Management is ideal if you have multiple CA administrators,
+[run several load-balanced](./certificate-authority-server-production.mdx#load-balancing-or-proxying-step-ca-traffic) `step-ca` instances,
+or if you want to manage your provisioners remotely (eg. with Infrastructure as Code (IaC) tools; [see below](#unattended-remote-provisioner-management)).
+See [Remote Provisioner Management](#remote-provisioner-management) for more info on tradeoofs and benefits.
-To add, remove, or modify provisioner configurations,
-use the [`step ca provisioner`](../step-cli/reference/ca/provisioner) command group.
-You must run these commands directly on your CA machine,
+The [`step ca provisioner`](../step-cli/reference/ca/provisioner) command group are used for provisioner management.
+They can be used to add, remove, or modify provisioner configurations.
+Note, you must run these commands directly on your CA machine,
as they need to modify the `$(step path)/config/ca.json` configuration file.
+When you run any step ca provisioner command, it will try to detect where the provisioner configuration is stored.
+It will either modify the `ca.json` file or it will update the database,
+depending on whether you have enabled Remote Provisioner Management.
+
May I edit ca.json directly?
-
You may edit your ca.json configuration file directly, but we strongly recommend using step ca provisioner commands instead.
-Fields in ca.json may be encoded differently than you expect.
+
You may edit your ca.json configuration file directly,
+ but we strongly recommend using step ca provisioner commands instead.
+ Fields in ca.json may be encoded differently than you expect.
+
-Within `ca.json` you can define an optional claims property for each provisioner.
+Within `ca.json` you can define an optional `claims` property for each provisioner.
The settings defined in the `claims` property of individual provisioners under an authority
override the global defaults set for that authority.
For a list of global options,
see the `claims` object under the authority configuration block in the [configuration guide](./configuration/#example-configuration).
-If you
-have multiple CA administrators,
-[run several load-balanced](./certificate-authority-server-production.mdx#load-balancing-or-proxying-step-ca-traffic) `step-ca` instances,
-or if you want to manage your provisioners remotely (eg. with Infrastructure as Code (IaC) tools; [see below](#unattended-remote-provisioner-management)), you can enable the remote provisioner management API, which is disabled by default.
-
-With remote provisioner management enabled,
-provisioner configurations are stored in the database instead of `ca.json`,
-while the global CA configuration remains in `ca.json`.
-
-See [Remote Provisioner Management](#remote-provisioner-management) for more.
-
### Common Provisioner Operations
Common provisioner operations include:
@@ -171,7 +175,7 @@ The example above modifies the minumum, maximum, and default durations for X.509
However, the `update` command can be used to modify the lifetimes, extensions, and templates of both X.509 and SSH certificates.
Additionally, there are some provisioner-specific options,
-which are covered by the documentation for each provisioner type [below](./provisioners/#provisioner-types).
+which are covered by the [documentation for each provisioner type](./provisioners/#provisioner-types).
## Remote Provisioner Management
@@ -181,7 +185,7 @@ When remote provisioner management is enabled,
your provisioner configuration is stored in the database instead of in ca.json.
You can manage the provisioner configuration by running [`step ca provisioner`](../step-cli/reference/ca/provisioner) commands,
either locally or remotely.
-However, you must sign in as an Admin user.
+However, ***you must sign in as an Admin user***.
### Enable Remote Provisioner Management
@@ -213,7 +217,8 @@ To enable remote provisioner management on an existing CA and migrate your `ca.j
When `step-ca` starts up, it will:
* Migrate the provisioners from your `ca.json` to the database
- * Repurpose the first JWK provisioner in your `ca.json` as an administrative provisioner. If no JWK provisioner exists, it will add a [JWK](#jwk) provisioner called Admin JWK to the database. You will be prompted for a password that will encrypt the new provisioner key.
+ * Repurpose the first JWK provisioner in your `ca.json` as an administrative provisioner.
+If no JWK provisioner exists, it will add a [JWK](#jwk) provisioner called Admin JWK to the database. You will be prompted for a password that will encrypt the new provisioner key.
* Create an initial Super Admin user, with username `step`, and link it to the administrative provisioner.
4. Remove old provisioner configurations from `ca.json`.
@@ -228,9 +233,10 @@ To enable remote provisioner management on an existing CA and migrate your `ca.j
### Managing Admin Users
-With remote provisioner management,
-"Admins" can remotely manage provisioners.
-"Super Admins" are Admins that can also manage the list of Admins for the CA using [`step ca admin`](../step-cli/reference/ca/admin).
+With remote provisioner management, there are two categories of admin users: "Admins" and "Super Admins".
+
+"Admins" can remotely manage provisioners.
+Then, "Super Admins" are Admins that can also manage the list of Admins for the CA using [`step ca admin`](../step-cli/reference/ca/admin).
#### Create An Admin User
From 720fbafed3e4bc6648a9d67b035362bacea37057 Mon Sep 17 00:00:00 2001
From: Linda Ikechukwu <32891838+Linda-Ikechukwu@users.noreply.github.com>
Date: Fri, 26 May 2023 17:49:46 +0100
Subject: [PATCH 7/7] Update provisioners.mdx
- Add the link to database page
- Add explanation for reason to delete JWK encrypted private key.
---
step-ca/provisioners.mdx | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index 303c2d12..f514566e 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -88,7 +88,7 @@ provisioner for a given workload.
## Provisioner Management
By default, provisioner configurations reside in the `$(step path)/config/ca.json` file.
However, if Remote Provisioner Management is enabled,
-provisioner configurations are stored in the database instead of `ca.json`,
+provisioner configurations are stored in [the database](./configuration/#databases) instead of `ca.json`,
while the global CA configuration remains in `ca.json`.
Remote Provisioner Management is ideal if you have multiple CA administrators,
@@ -488,9 +488,11 @@ Please enter the password to decrypt the content encryption key:
#### Removing the encrypted private key from a JWK provisioner
-The encrypted private key stored in the JWK provisioner configuration
-and published to the public `/provisioners` endpoint is provided for client convenience.
-However,`step-ca` does not require it to operate, so it can be removed.
+The `/provisioners` endpoint is not a protected resource,
+so anyone with access to the URL can view the list of all provisioners as well as the encrypted private key of any JWK provisioner.
+
+While the exposed encrypted key poses no real danger, you can remove it if you're concerned.
+`step-ca` does not require it to function, as it is only provided for the client's convenience.
To remove this key: