Open james-emerton opened 1 year ago
@james-emerton thank you for opening this issue. I had a very similar issue this week, and we've started thinking about how to best do this. Some work is already underway to support this.
@maraino this should be possible using either the --ca-kms
or the new KMS URL parsing.
Hi @james-emerton, as @hslatman mentions, we're looking into similar cases, we might initially add --ca-kms, but the goal would be to do not need those flags at all.
Currently we support a flow for this use case:
step certificate create --csr --kms 'awskms:region=us-west-1' \
--key 'awskms:key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \
"Smallstep Intermediate CA" intermediate_ca.csr
step certificate sign --profile intermediate-ca \
--kms 'awskms:region=us-east-2' \
intermediate_ca.csr root_ca.crt 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214'
When creating an intermediate CA using AWS KMS keys, I would like to be able to have the root and intermediate keys stored in different regions.
We would like to deploy a CAs to multiple regions, using the same root certificate, but with one intermediate per region. I am aware that AWS supports multi-region keys, which is almost certainly how I will accomplish our goals for now, but it would be very useful to be able to specify a different region for
--ca-key
and--key
.For example, we might store a root key in the us-west-1 region and want to create an intermediate in us-east-2: