step ca does not honor all attributes in x509 template

[sephiroth1395]

Using step-ca release 0.16.

I want to create a 3-tier CA using step-ca. I have issued the Root and local Intermediate using x509 templates, with a MaxPathLen of respectively 2 and 1, and everything went as expected.

Now the third level of the CA comes from another system.
So, I have generated a CSR, that I have imported on my Root CA.
I'm attemping to sign using the following command:

step ca sign csr/ACME_v3.csr certs/ACME_v3.crt --not-after=43800h --set-file=templates/acme_subca.tpl

The template contains the following:

{
        "subject": { "commonName": "(redacted)" },
        "keyUsage": ["certSign", "crlSign"],
        "basicConstraints": {
                "isCA": true,
                "maxPathLen": 0
        }
}

The signing succesful, but I don't get what I expect.

What is expected: The resulting certificate has the defined key usage and constraints.

What I get:

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Server Authentication, Client Authentication

I explicitly need to use step ca instead of just step certificate because the private keys of the Root CA live on a YubiKey.
The CSR comes from a system that also uses the YubiKey to store the private key, and ideally I would like not to have generate it on the Root CA.

In my understanding I'm doing everything right, and this appears to be a bug. Can you confirm?

[tashian]

Hi @sephiroth1395,

The template JSON file needs to be part of your CA configuration, you can't pass a template in via step ca sign.
What --set-file can be used for is a dictionary of key-value pairs that then can be accessed in the CA's template via Insecure.User.* variables.

So, in your case, in your CA you'll want a template that looks sort of like this:

{
    "subject": {{ toJson .Subject }},
    "sans": {{ toJson .SANs }},
    "keyUsage": ["certSign", "crlSign"],
    "basicConstraints": {
        "isCA": true,
        "maxPathLen": 0
    }
}

(I haven't tested this, but this is the idea.)
You put this into a .tpl file (somewhere like /etc/step-ca/templates/x509) and refer to it from your provisioner configuration.
Any certs made using that provisioner will use the template.
Hope this works out! Let me know if you have any questions.

[tashian]

You also may find it easier to create these certs offline. Especially if you are minting long-lived CA certs once, and you don't need to be able to create CA certs ongoing using an online authority. The offline step certificate create command takes a --template flag that lets you pass a template filename. If you take this approach, you'll also need to pass it the subject, issuing CA (--ca) and signing key (--ca-key).

[sephiroth1395]

Hello @tashian ,

First, thanks a lot for the quick feedback.

• Regarding the issue itself: I did not catch that difference in the documentation, thanks a lot for the clarifications. I will test this, if you don't hear from me again, it means I stand corrected and everything works :)
• Regarding your second comment: the catch is I'm using YubiKeys to store the private keys and step certificate cannot handle them, it is only implemented in the step ca feature set as far as I understand.

The overall architecture is that on one node (that would be fully offline it this was a production env) there is the root and intermediate CA, and on another node there is a subCA that uses the ACME protocol (both with step certificates because, well, it does the job and works very well). The whole point is that the ACME SubCA private key is generated on the Yubikey itself and exported as a CSR (both using ykman), the CSR is signed by the root CA, and the resulting assets are used with step to serve leaf certificates via the ACME protocol.

I'll do a write-up soon of all this.

[sephiroth1395]

For anyone reading this: adding an additional JWK provisioner and configuring it to use the proposed template perfectly fits the bill. Thanks again!

[tashian]

Nice, @sephiroth1395! I'm glad you got this working. Excited to see your write-up when it's ready. :D