-
|
Hello! I'd like to ask if it's possible to restrict a jwk provisioner to only issue certs or only renew certs. The rationale is that I'd like to keep a password file on each machine for solely automated renewal, and have a separate provisioner that I use to hand-issue certs without storing its password. If anyone were to gain access to the machines they'd then only be able to renew certs, which I can revoke. I'm open to any suggestions if I've made a mistake or if there's a better way to do it. Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
The only thing possible is to disable renewal using the claim For automated renewal there's no need for a password, if the certificate is still valid you can do an mTLS connection to the renewal endpoint That curl --cacert ~/.step/certs/root_ca.crt --cert foo.crt --key foo.key -X POST https://ca.example.com/renewAnd of course, parsing the output. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! Yeah I realised each cert was bound to its provisioner after seeing the outpht of |
Beta Was this translation helpful? Give feedback.
The only thing possible is to disable renewal using the claim
"disableRenewal": true. But if you do that you won't be able to renew certificates issued by that provisioner. All renewals but the SSH host one (SSHPOP) are tight to the provisioner.For automated renewal there's no need for a password, if the certificate is still valid you can do an mTLS connection to the renewal endpoint
step ca renew foo.crt foo.key. In master, there's also the ability to enable per provisioner renewal of expired certs, but it's something that you have to manually enable, and might not be what you want.That
step ca renew foo.crt foo.keyis equivalent of doing:curl --cacert ~/.step/certs/root_ca.crt --cert…