how to generate certificate via web API by using step-ca instance set up with HSM

[umegaya]

hi, I've setup step-ca along with hsm by following instruction of https://smallstep.com/docs/step-ca/configuration#pkcs-11
and all setup seems to finish. then we want to generate our certficate via Web API, not from CLI.

without hsm, our steps to generate certificate via API is like following and it works fine.

1. generate ott by using step ca token --offline CLI (it will be replaced with our program later stage of development)
2. curl -k https://our_step_ca_host/sign -d '{"csr":$csr,"ott":$ott}'

but after step-ca setup along with hsm, step 1 is failed with unsupported kms type ‘pkcs11'
with hsm, how can I generate cert via Web API? is it step-ca's limitation or am I missing some important settings?

regards,

[tashian]

As an alternative, one thing you could try is a more extended form of step ca token --offline, eg:

step ca token internal.example.com \
              --offline \
              --kid 4vn46fbZT68Uxfs9LBwHkTvrjEvxQqx-W8nnE-qDjts \
              --issuer [email protected] \
              --key provisioner.key \
              --ca-url https://ca.example.com \
              --root /path/to/root_ca.crt

I think this form of the command doesn't depend on ca.json directly, so it may work for you.

Another option would be to look at smallstep/clients as a reference point for generating your own tokens programmatically.

By the way, in step 2 you are connecting to the CA insecurely for the sign operation. I'd strongly recommend passing a --cacert instead of -k.

[umegaya]

@tashian thanks! but unfortunatelly, your suggestion does not work. still returns unsupported kms type ‘pkcs11' error.
after investigation, it appears that actual cause was, https://github.com/smallstep/cli does not import go.step.sm/crypto/kms/pkcs11.

without the import, go.step.sm/crypto/kms/pkcs11/pkcs11.go#init will not be called, then go.step.sm/crypto/kms/kms.go#New will fail with unsupported kms type ‘pkcs11' due to lack of corresponding handler for kms type apiv1.PKCS11.

I opened pull request for this. smallstep/cli#828 this version of step cli can generate ott for hsm-enabled step-ca instance. (you need to build step cli with CGO, like make build CGO_OVERRIDE="")

hope it helps

[maraino]

As I commented in the PR, we want to use step-kms-plugin for this. This is currently not implemented on step ca token commands, but it can be. As a current workaround, I created this script https://gist.github.com/maraino/f73b334e475caa1a0f34a52c501fede7

You will need to edit some of the variables for your environment, but it should work. The script requires step-kms-plugin with this PR smallstep/step-kms-plugin#27 merged. I'll try to create a new release today.

[maraino]

The latest version of certificates now has support for signing JWTs https://github.com/smallstep/step-kms-plugin/releases