alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Update docs for RA.

Browse source
This commit is contained in:
Mariano Cano 2020-10-19 18:43:11 -07:00
parent d46990d4c4
commit 2ec0c24e98
1 changed files with 11 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
docs/cas.md
View file

@ -1,14 +1,15 @@
# Certificate Management Services # Registration Authorities
This document describes how to use a certificate management service or CAS to This document describes how to use an external registration authority (RA), aka
sign X.509 certificates requests. certificate authority service (CAS) to sign X.509 certificates requests.
A CAS is a system that implements an API to sign certificate requests, the A CAS is a system that implements an API to sign certificate requests, the
difference between CAS and KMS is that the latter can sign any data, while CAS difference between CAS and KMS is that the latter can sign any data, while CAS
is intended to sign only X.509 certificates. is intended to sign only X.509 certificates.
`step-ca` defines an interface that can be implemented to support other `step-ca` defines an interface that can be implemented to support other
services, currently only CloudCAS and the default SoftCAS are implemented. registration authorities, currently only CloudCAS and the default SoftCAS are
implemented.
The `CertificateAuthorityService` is defined in the package The `CertificateAuthorityService` is defined in the package
`github.com/smallstep/certificates/cas/apiv1` and it is: `github.com/smallstep/certificates/cas/apiv1` and it is:
@ -123,15 +124,15 @@ or using `gcloud` CLI:
--reusable-config "subordinate-server-tls-pathlen-0" --reusable-config "subordinate-server-tls-pathlen-0"
``` ```
Not it's time to enable it in `step-ca` adding the new property `"cas"` must be added Now it's time to enable it in `step-ca` by adding some new files in the
to the `ca.json`. `"authority"` section of the `ca.json`.
```json ```json
{ {
"cas": { "authority": {
"type": "cloudCAS", "type": "cloudCAS",
"credentialsFile": "/path/to/credentials.json", "credentialsFile": "/path/to/credentials.json",
"certificateAuthority": "projects/<name>/locations/<loc>/certificateAuthorities/<ca-name>" "certificateAuthority": "projects/<name>/locations/<loc>/certificateAuthorities/<ca-name>",
} }
} }
``` ```
@ -161,12 +162,10 @@ need to configure `"root"`, and because the intermediate is in Google Cloud,
"type": "badger", "type": "badger",
"dataSource": "/home/jane/.step/db", "dataSource": "/home/jane/.step/db",
}, },
"cas": { "authority": {
"type": "cloudCAS", "type": "cloudCAS",
"credentialsFile": "/home/jane/.step/credentials.json", "credentialsFile": "/home/jane/.step/credentials.json",
"certificateAuthority": "projects/smallstep-cas-test/locations/us-west1/certificateAuthorities/prod-intermediate-ca" "certificateAuthority": "projects/smallstep-cas-test/locations/us-west1/certificateAuthorities/prod-intermediate-ca",
},
"authority": {
"provisioners": [ "provisioners": [
{ {
"type": "JWK", "type": "JWK",