Multiple region support

[james-emerton]

When creating an intermediate CA using AWS KMS keys, I would like to be able to have the root and intermediate keys stored in different regions.

We would like to deploy a CAs to multiple regions, using the same root certificate, but with one intermediate per region. I am aware that AWS supports multi-region keys, which is almost certainly how I will accomplish our goals for now, but it would be very useful to be able to specify a different region for --ca-key and --key.

For example, we might store a root key in the us-west-1 region and want to create an intermediate in us-east-2:

step certificate create --profile intermediate-ca \
   --kms 'awskms:region=us-east-2' \
   --ca root_ca.crt \
   --ca-key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
   --key 'awskms:key-id=9432458d-1e67-4a74-9a23-8f94708b45fe;region=us-west-1' \
   "Smallstep Intermediate CA" intermediate_ca.crt

[hslatman]

@james-emerton thank you for opening this issue. I had a very similar issue this week, and we've started thinking about how to best do this. Some work is already underway to support this.

@maraino this should be possible using either the --ca-kms or the new KMS URL parsing.

[maraino]

Hi @james-emerton, as @hslatman mentions, we're looking into similar cases, we might initially add --ca-kms, but the goal would be to do not need those flags at all.

Currently we support a flow for this use case:

1. Create a CSR for your intermediate:

   step certificate create --csr --kms 'awskms:region=us-west-1' \
   --key 'awskms:key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \
   "Smallstep Intermediate CA" intermediate_ca.csr

2. Sign the CSR with your root:

   step certificate sign --profile intermediate-ca \
   --kms 'awskms:region=us-east-2' \
   intermediate_ca.csr root_ca.crt 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214'