Leaf certificate for "Step Online CA"

[Jcpetrucci]

Subject of the issue

When step-ca is started, it seems to generate a new leaf certificate for itself. The subject is "Step Online CA" and it is issued by the intermediate cert. Can we influence the generation of this certificate at all? For example changing the subject, or the validity (valid from / valid to) dates? I have already configured claims and minTLSCertDuration under my provisioner, but the certificate for Step Online CA does not seem to respect my claim, and I'm not even sure if it's created through this provisioner.

[tashian]

Hi there,

Yes, the claims and minTLSCertDuration only apply to certificates created by the provisioner.

Could you give me a bit more context on your situation, and why you're wanting to change the CA's TLS certificate parameters?

If your subscribers trust the CA certificate, the short-lived leaf certificate generated by the CA should always be trusted.

[Jcpetrucci]

Yes the trust can be validated just fine- it is mainly the lifetime that concerns me. I would like to be able to change the certificate duration to be a little less short-lived, perhaps 7 or 30 days. The reason is because I want to monitor the number of days remaining in the certificate validity, as a way to know if the automatic renewals ever cease to work. My monitoring tool is limited in that the smallest unit of measurement it can do is "day(s)", so I need to configure it to tell me if the cert has <= X days remaining.

[tashian]

Thanks for the context.

You'd have to make a custom build of step-ca for this purpose, because that certificate duration is hardcoded here.

[tashian]

BTW, the internal certificate renewer in step-ca will try to renew this certificate when about 2/3 of the validity period has elapsed. So by default it renews at around 16 hours, but if you were to extend the lifetime to 7 days, it will try to renew at around 4 2/3 days.

[maraino]

@Jcpetrucci the duration of the step-ca "self-certificate" is hardcoded to 24h, and it gets automatically renewed.

Right now you cannot configure the duration, and you cannot pre-create a certificate to use. If you think any of those are important, I'll suggest creating an enhancement issue.

[Jcpetrucci]

Thank you @tashian for linking the code where this is defined. Yes I think that others may find it beneficial also.