search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.65k stars 252 forks source link

Support installing a root cert via URL with step certificate install #1179

Open jdoss opened 4 months ago

jdoss commented 4 months ago

Hello!

Issue details

Add support for step certificate install to pull a root from a URL and check its fingerprint.

Example:

step certificate install https://mycool-stepca.example.biz/roots.pem --fingerprint 48:62:CD:B0:B1:E8:A8:45:45:97:62:E2:2F:CB:E8:1C:B5:C0:BC:85

Also consider adding a --insecure flag to the URL support to bypass checking the fingerprint.

Why is this needed?

step certificate inspect https://smallstep.com works on URLs and adding this feature will allow operators to trust their PKI in an automated way. For example with a systemd unit:

[Unit]
Description=Trust MyCool root
After=network-online.target
Wants=network-online.target
ConditionPathExists=!/var/lib/pki-trust-mycool-root.stamp
ConditionPathExists=/usr/local/bin/step

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart="step certificate install https://mycool-stepca.example.biz/roots.pem --fingerprint 48:62:CD:B0:B1:E8:A8:45:45:97:62:E2:2F:CB:E8:1C:B5:C0:BC:85"
ExecStartPost=/bin/touch /var/lib/pki-trust-mycool-root.stamp

[Install]
WantedBy=default.target
hslatman commented 4 months ago

Fingerprint using SHA256. Consider supporting other formats, but only with explicit format specified.

https://github.com/orgs/smallstep/projects/94/views/1?pane=issue&itemId=63393140