[Bug]: Unable to use yubikey with step certificate create

[udf2457]

Steps to Reproduce

According to the docs, this:

step certificate create --profile root-ca "FOO" --ca-kms yubikey:pin-value=1234567 --ca-key yubikey:slot-id=82

Should work because ca-kms and ca-key are valid options flags ?

The same thing happens if you use --kms and --key.

But step insists on pushing keys to disk ?

not enough positional arguments were provided in 'step certificate create '

Your Environment

Smallstep CLI/0.27.4 (darwin/arm64)

Expected Behavior

Generate cert using yubikey

Actual Behavior

Errors out with:

not enough positional arguments were provided in 'step certificate create '

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hslatman]

Hey @udf2457,

What happens if you try this:

step certificate create --profile root-ca --kms 'yubikey:pin-value=1234567' --key 'yubikey:slot-id=82' 'FOO' root_ca.crt

It's possible you got the error because of the order of arguments provided and how they're evaluated. In this case FOO is placed at the end, and the certificate will be written to root_ca.crt.

In this case you'll need --kms and --key, as you're using the root-ca profile. For the intermediate you would need to specify the --ca-kms and --ca-key, and point those to the values you used for the root.

[udf2457]

@hslatman Yeah, reworking in that order fixed it. Thanks.

[hslatman]

Great to hear 🙂

Unfortunately, I don't think we can handle this in a better way at the moment due to the packages we use for handling the command line flags, so I'll close the issue for now.