Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A batch of small fixes #265

Merged
merged 3 commits into from
Aug 29, 2023
Merged

A batch of small fixes #265

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0b8a15a
Clarify OAuth flows in play
tashian Aug 17, 2023
e4f0a33
Debian -> Debian/Ubuntu
tashian Aug 21, 2023
8f5ec14
Explain the acme directory URL earlier
tashian Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions step-ca/installation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Learn how to to install the `step-ca` binary on your local machine.
- [Winget Package](#winget-package)
- [Scoop Package](#scoop-package)
- [Linux Packages](#linux-packages-amd64)
- [Debian](#debian)
- [Debian/Ubuntu](#debian-ubuntu)
- [Arch Linux](#arch-linux)
- [RedHat](#redhat)
- [Alpine Linux](#alpine-linux)
Expand Down Expand Up @@ -81,7 +81,7 @@ To uninstall, run `scoop uninstall`, then remove the configuration directory `$H
</div>
</Alert>

#### Debian
#### Debian/Ubuntu

To install `step`, download and install the Debian package for your platform from our [latest release](https://github.com/smallstep/cli/releases/latest):

Expand Down
28 changes: 18 additions & 10 deletions step-ca/provisioners.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -482,7 +482,7 @@ To remove this key:

Sometimes it's useful to issue certificates to people.
So `step-ca` supports single sign-on with identity providers (IdPs) like Google, Okta, Azure Active Directory, Keycloak,
or any other provider that supports OAuth's [OpenID Connect extension](https://openid.net/connect/)..
or any other provider that supports OAuth's [OpenID Connect extension](https://openid.net/connect/).

OpenID Connect is an extension to OAuth 2.0 that adds an identity layer.
Providers that support OIDC can issue identity tokens ("ID tokens") to OAuth clients.
Expand Down Expand Up @@ -621,21 +621,22 @@ see the [claims](configuration.mdx#claims) section for all the options.

#### Browserless Console Mode

Sometimes it's helpful to use OAuth in an input-constrained environment where a web browser is not available.
The Device Authorization Grant flow is an OAuth 2.0 extension designed for this scenario.
The `step-ca` OIDC provisioner supports the Device Authorization Grant flow.
For OpenID Connect, by default, `step` opens a web browser to run the Authorization Code flow with PKCE.

Sometimes it's helpful to use OAuth in an input-constrained environment where no web browser is available.
The Device Authorization Grant flow (aka "Device Flow") is an OAuth 2.0 extension designed for this scenario.
The `step` client supports the Device Authorization Grant flow.

To use the Device Authorization Grant flow for input-constrained devices, run:

```shell-session
$ step ca certificate foo foo.crt foo.key --console
```

To specify a flow other than the default (for example Google's deprecated Out of Band flow), run:
or

```shell-session
$ STEP_CONSOLE_FLOW=oob step ca certificate foo foo.crt foo.key --console
```
$ STEP_CONSOLE=true step ssh certificate carl carl.crt

#### Notes

Expand Down Expand Up @@ -872,16 +873,22 @@ The ACME provisioner in `step-ca` supports issuing X.509 certificates using IP,
Add an ACME provisioner:

```shell
step ca provisioner add acme --type ACME
step ca provisioner add acme-example --type ACME
```

An example of an ACME provisioner in the `ca.json`:
This will add an ACME server to step-ca.
ACME clients are commonly configured with an **ACME directory URL**.
If your CA is hosted at `ca.internal`, and you run the above command, your ACME server directory URL will be `https://ca.internal/acme/acme-example/directory`.

To configure popular ACME clients to use `step-ca`, see [our tutorial on the subject](https://smallstep.com/docs/tutorials/acme-protocol-acme-clients/).

Here's an example of an ACME provisioner configuration in `ca.json`:

```json
...
{
"type": "ACME",
"name": "acme",
"name": "acme-example",
"forceCN": true,
"claims": {
"maxTLSCertDuration": "8h",
Expand Down Expand Up @@ -972,6 +979,7 @@ step ca provisioner add acme-da \
In your Apple MDM profile, you will need:
* A [`CertificateRoot`](https://developer.apple.com/documentation/devicemanagement/certificateroot) payload, containing your root CA certificate PEM block, so that it's trusted by the device.
* An [`ACMECertificate`](https://developer.apple.com/documentation/devicemanagement/acmecertificate) payload. For this one, set the `ClientIdentifier` to the UDID or serial number of the device.
* Set `HardwareBound` to `true`

##### Device Attestation for YubiKeys

Expand Down
4 changes: 2 additions & 2 deletions step-cli/installation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ It's trivial to install the `step` binary on your local machine.

- [macOS](#macos)
- [Linux Packages](#linux-packages-amd64)
- [Debian](#debian-linux)
- [Debian](#debian-ubuntu)
- [Arch Linux](#arch-linux)
- [RedHat](#redhat)
- [Alpine Linux](#alpine-linux)
Expand All @@ -43,7 +43,7 @@ To uninstall, run `brew uninstall step` and remove the `$HOME/.step` configurati

### Linux Packages (amd64)

#### Debian Linux
#### Debian/Ubuntu

Download and install the Debian package from our [latest release](https://github.com/smallstep/cli/releases/latest):

Expand Down