Add Option to specify Provisioner Key locally

[FrediWeber]

The documentation of step-ca specifies, that it is possible to use the JWK provisioner without the encryptedKey specified in ca.json and the user / system that wants to provision a certificate, needs to specify the key instead of just the password for the encryptedKey.
https://smallstep.com/docs/step-ca/provisioners#jwk

encryptedKey*: is the encrypted private key used to sign a token. It's a JWE compact string containing the JWK representation of the private key. This value is not necessary for CA operation, but is provided for the convenience of clients. Without the encryptedKey attribute, the private key must be provided by the client, using the --key flag.

Even though it should not pose a security risk to have the encryptedKey exposed in the /provisioner endpoint (because of the really strong encryption), it would be nice, if there would be a possibility to configure the provisioner with the key on the step-issuer side.

It should be possible, to specify the actual key and not just the password for the key in the same secret and specify the secret key in the provisioner config.

[dopey]

Hey @FrediWeber 👋. Thanks for opening the issue!

I believe this is already possible. When adding a JWK provisioner try doing step ca provisioner add with only the --public-key. Or, for an already created provisioner you can do step ca provisioner update example-jwk --private-key="".

Let me know if those options work for you.

[FrediWeber]

Hi @dopey
Thank you very much for the quick response. It is possible on the step-certificate (step-ca) side to omit the encryptedKey but AFAIK not on the step-issuer side inside the Kubernetes cluster.
So when I'm not configuring the encryptedKey in the provisioner config on the step ca, I should have to configure it on the client side (step-issuer) inside the Kubernetes cluster. Looking at the code and the CRDs of the issuer config I can't see, how I would do that. I'm just able to provide a password for the encryptedKey.
We're using the step-issuer in the Kubernetes cluster only as a cert-manager extension/plugin to provision new certificates signed by a step-ca running outside the cluster.