Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CloudCAS on step ca init #402

Merged
merged 7 commits into from
Oct 21, 2020
Merged

Add support for CloudCAS on step ca init #402

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ef92a3a
Move cas options under authority.
maraino Oct 20, 2020
d46990d
Add support for step ca init with a RA.
maraino Oct 20, 2020
2ec0c24
Update docs for RA.
maraino Oct 20, 2020
9f21813
Rename option.
maraino Oct 20, 2020
2654231
Update option property.
maraino Oct 20, 2020
6a818eb
Merge branch 'master' into ra-init
maraino Oct 20, 2020
341dc1c
Remove merge data.
maraino Oct 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update docs for RA.
  • Loading branch information
@maraino
maraino committed Oct 20, 2020
commit 2ec0c24e988e53af6310f3a810cbbef9e02c6de0
23 changes: 11 additions & 12 deletions docs/cas.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
# Certificate Management Services
# Registration Authorities

This document describes how to use a certificate management service or CAS to
sign X.509 certificates requests.
This document describes how to use an external registration authority (RA), aka
certificate authority service (CAS) to sign X.509 certificates requests.

A CAS is a system that implements an API to sign certificate requests, the
difference between CAS and KMS is that the latter can sign any data, while CAS
is intended to sign only X.509 certificates.

`step-ca` defines an interface that can be implemented to support other
services, currently only CloudCAS and the default SoftCAS are implemented.
registration authorities, currently only CloudCAS and the default SoftCAS are
implemented.

The `CertificateAuthorityService` is defined in the package
`github.com/smallstep/certificates/cas/apiv1` and it is:
Expand Down Expand Up @@ -123,15 +124,15 @@ or using `gcloud` CLI:
--reusable-config "subordinate-server-tls-pathlen-0"
```

Not it's time to enable it in `step-ca` adding the new property `"cas"` must be added
to the `ca.json`.
Now it's time to enable it in `step-ca` by adding some new files in the
`"authority"` section of the `ca.json`.

```json
{
"cas": {
"authority": {
"type": "cloudCAS",
"credentialsFile": "/path/to/credentials.json",
"certificateAuthority": "projects/<name>/locations/<loc>/certificateAuthorities/<ca-name>"
"certificateAuthority": "projects/<name>/locations/<loc>/certificateAuthorities/<ca-name>",
}
}
```
Expand Down Expand Up @@ -161,12 +162,10 @@ need to configure `"root"`, and because the intermediate is in Google Cloud,
"type": "badger",
"dataSource": "/home/jane/.step/db",
},
"cas": {
"authority": {
"type": "cloudCAS",
"credentialsFile": "/home/jane/.step/credentials.json",
"certificateAuthority": "projects/smallstep-cas-test/locations/us-west1/certificateAuthorities/prod-intermediate-ca"
},
"authority": {
"certificateAuthority": "projects/smallstep-cas-test/locations/us-west1/certificateAuthorities/prod-intermediate-ca",
"provisioners": [
{
"type": "JWK",
Expand Down