Open chilcano opened 3 years ago
You can run step certificate fingerprint ~/.step/certs/root_ca.crt
on your CA to get the fingerprint. Hope this helps!
Thanks @mmalone
If I have access to CA host, I could already download the root_ca.crt
directly and then running step ca root root_ca.crt --ca-url https://localhost:443 --fingerprint xxxxx
is not longer necessary.
Are the certificates (root and intermediates) available to download from a public area/page/URL of the CA? Like other CAs do (EJBCA, DogTag, CFSSL, ...)
Kind regards.
Yes, you can download the certificate from https://<ca-url>/root/<root-fingerprint>
. The idea is that you'll hardcode the CA fingerprint in the clients. The fingerprint is used to verify that you've downloaded the expected root CA cert. It's a security feature.
The easiest way to download the root cert on a client is to use the step
CLI:
step ca root root_ca.crt --ca-url https://<ca-url> --fingerperint <fingerprint>
This does a couple things:
It's a secure root download function.
We've also started building a mechanism for securely downloading the root certificate by bootstrapping off of a publicly trusted web PKI certificate. We use this for step ssh config
but it hasn't made its way into the step ca
command group yet.
If other CAs do this some other way that you like better I'd be curious to learn more.
Thanks @mmalone. I'm going to run a workshop using this repo (step-aws-emojivoto) for multiple users (> 10) and need tweak the Terraform code and improve the information to make it easier to them. I appreciate your answer. This information is useful to accomplish that. Kind regards.
Hi there, I've ran through this PoC and I've already deployed on AWS and now I would like to explore the App. I haven't got problems using Chrome/Firefox to browse https://web.emojivoto.local. In fact, I had this alert
NET::ERR_CERT_AUTHORITY_INVALID
as expected. But now I want to usecURL
andstep cli
however I think there are some missed previous steps.In order to use
curl
, browser andstep cli
we need root and intermediate certs. How to get them? According the Quickstart - Step 6. Get the root certificate from Step CA executingstep ca root root.crt
is enough, but it isn't. Then, I tried to obtain them throughstep cli
with--ca-url
, however the--fingerprint
param is also needed. What are these values?, how to get that?The
/usr/local/lib/step/config/ca.json
shows the path for these certs. Using theca.json
is the right way to get them?.Hope you can help me. Regards.