Automated way to change intermediate CA private key #467

jrsmith3 · 2021-02-09T13:08:14Z

jrsmith3
Feb 9, 2021

I am trying to write some ansible to define the deployment of step-ca as a local certificate authority for my homelab. The best practices document suggests

After initializing your CA, we recommend that you immediately change the password for the intermediate CA private key

There seem to be no command-line flags to specify files containing decryption/encryption passwords, so I've been trying to use ansible's expect module to interact with the step crypto change-pass command. The interactive prompts of the step crypto change-pass include ANSI control characters which I am finding challenging to deal with via regexes and the expect module. I would prefer an approach that is more explicit, like a flag to the command that specifies files containing the passwords.

I had no problem writing an ansible task for the step ca init command because it features a --password-file flag. I was wondering if there is a similar approach to changing the password for an existing cert. If not, is there any way to change this password without having to wrangle the ANSI control characters with a regex?

Thanks in advance.

Answered by maraino

Feb 9, 2021

I agree with @tashian, and we should add a --password-file to step crypto change-pass. But right now, there's a tricky way to do it without prompts.

cat $(step path)/secrets/intermediate_ca_key | step crypto key format --password-file /tmp/old-password.txt | step crypto key format --password-file /tmp/new-password.txt

What is happening here is that the first format is converting the PEM to DER, and this format does not support password, then we're doing the opposite, and converting DER to PEM.

View full answer

tashian · 2021-02-09T17:51:47Z

tashian
Feb 9, 2021
Collaborator

Hi @jrsmith3, this is one of a few small configuration management issues we have right now around automated bootstrapping. I'd suggest creating an issue for step crypto change-pass to take a --password-file. (We welcome community contributions!)

One alternative worth mentioning: If you know you'll never need another intermediate, you could throw away the root CA private key. The CA doesn't need it.

0 replies

maraino · 2021-02-09T19:07:52Z

maraino
Feb 9, 2021
Maintainer

I agree with @tashian, and we should add a --password-file to step crypto change-pass. But right now, there's a tricky way to do it without prompts.

cat $(step path)/secrets/intermediate_ca_key | step crypto key format --password-file /tmp/old-password.txt | step crypto key format --password-file /tmp/new-password.txt

What is happening here is that the first format is converting the PEM to DER, and this format does not support password, then we're doing the opposite, and converting DER to PEM.

3 replies

jrsmith3 Feb 10, 2021
Author

That's some Jedi level command line. Thanks!

I will open an issue.

jrsmith3 Feb 11, 2021
Author

Here's a link to the ticket I opened: smallstep/cli#416
And it already has a PR?!? 😮😀

maraino Feb 11, 2021
Maintainer

And I approved it, I'm not sure why @dopey didn't merge it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Automated way to change intermediate CA private key #467

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Automated way to change intermediate CA private key #467

jrsmith3 Feb 9, 2021

Replies: 2 comments · 3 replies

tashian Feb 9, 2021 Collaborator

maraino Feb 9, 2021 Maintainer

jrsmith3 Feb 10, 2021 Author

jrsmith3 Feb 11, 2021 Author

maraino Feb 11, 2021 Maintainer

jrsmith3
Feb 9, 2021

Replies: 2 comments 3 replies

tashian
Feb 9, 2021
Collaborator

maraino
Feb 9, 2021
Maintainer

jrsmith3 Feb 10, 2021
Author

jrsmith3 Feb 11, 2021
Author

maraino Feb 11, 2021
Maintainer