search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.36k stars 415 forks source link

[docs] Documentation clarification about Proxying step-ca traffic #1837

Open hasan7n opened 1 month ago

hasan7n commented 1 month ago

I am kindly asking for clarification on the Proxying step-ca traffic section of the production considerations documentation. Specifically, I would like to understand if this is accurate or not:

step will expect to be able to perform a TLS handshake with the proxy, and use the CA's root certificate to complete the trust chain. So, for inbound TLS connections, the proxy should use a server certificate issued by step-ca.

What seems to be the case is that whichever CA issued the proxy certificate, one can use the --root parameter with step ca commands to make step trust the issuing CA (ref). So, it seems that there is no requirement to have the proxy use certificates issued by step-ca, contrary to what the documentation mentions. Did I miss something?

hslatman commented 1 month ago

Hey @hasan7n, yes, it's likely that will work in terms of ensuring the CLI will trust the connection. However, it's not guaranteed that all functionalities will work while operating in such a configuration. That's why we don't explicitly mention this in our docs, currently.