diff --git a/step-ca/registration-authority-ra-mode.mdx b/step-ca/registration-authority-ra-mode.mdx index ef8f3295..e5879d39 100644 --- a/step-ca/registration-authority-ra-mode.mdx +++ b/step-ca/registration-authority-ra-mode.mdx @@ -521,7 +521,7 @@ Run: ```bash VAULT_URI=http://127.0.0.1:8200 -VAULT_CA_FINGERPRINT=$(step certificate fingerprint `step path`/certs/root_ca.crt) +VAULT_CA_FINGERPRINT=$(step certificate fingerprint root_ca.crt) cat <<< $(jq --arg vault_role_id "$VAULT_ROLE_ID" \ --arg vault_secret_id "$VAULT_SECRET_ID" \ --arg vault_uri "$VAULT_URI" \ @@ -581,6 +581,17 @@ Here are the `config` options for `vaultcas` authorities: - **tokenPath**: [authType=`kubernetes`] the path to a token used to authenticate (default to the service account token path in a k8s pod) +Finally, remove the `"root"`, `"key"`, and `"crt"` values from your `$(step path)/config/ca.json`, and the associated files. These are generated by `step ca init` but are not used by RA servers. + +Run: + +``` +cat <<< $(jq 'del(.key, .crt, .root)' `step path`/config/ca.json) > $(step path)/config/ca.json +rm $(step path)/certs/root_ca.crt $(step path)/certs/intermediate_ca.crt $(step path)/secrets/intermediate_ca_key +``` + +Your RA server will read your root from Vault when it starts up. + #### 6. Start your RA server ```bash