Commit graph

2437 commits

Author SHA1 Message Date
Mariano Cano
9e5762fe06 Allow the reuse of azure token if DisableTrustOnFirstUse is true
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.

The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.

Fixes #656
2021-08-11 11:50:54 -07:00
Mariano Cano
66f6c73655 Update badger driver to use v2 by default. 2021-08-11 11:19:29 -07:00
Mariano Cano
492ff4b632 Ask for the first provisioner password if none is provided. 2021-08-10 17:30:33 -07:00
Mariano Cano
28e882c9b3 Add deployment type to export. 2021-08-10 17:14:17 -07:00
Mariano Cano
072ba4227c Add deployment type to config.
This field is ignored except for the start of the ca. If the type
is linked and the token is not passed, it will fail with an error.
2021-08-10 17:07:15 -07:00
Mariano Cano
56bb3eb6e1 Add next steps for linked ca. 2021-08-10 14:54:31 -07:00
Herman Slatman
f31ca4f6a4
Add tests for validateExternalAccountBinding 2021-08-10 12:39:44 +02:00
Herman Slatman
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.

Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
2021-08-09 10:37:32 +02:00
Herman Slatman
71b3f65df1
Add processing of RequireEAB through Linked CA 2021-08-07 01:33:08 +02:00
Mariano Cano
47a30f1524 Add JWK provisioner to generic config.
Fix linter errors.
2021-08-06 14:58:03 -07:00
Mariano Cano
536536c92d Wrap json errors. 2021-08-06 14:55:17 -07:00
Mariano Cano
640f523150 Remove unused function. 2021-08-06 14:31:49 -07:00
Mariano Cano
9d51c2cceb Fix linter errors in the name of export methods. 2021-08-06 14:29:54 -07:00
Mariano Cano
16d3afb92a Remove unused method. 2021-08-06 12:37:20 -07:00
Mariano Cano
d72fa953ac Remove debug statements. 2021-08-05 18:50:18 -07:00
Mariano Cano
3f07eb597a Implement revocation using linkedca. 2021-08-05 18:45:50 -07:00
Mariano Cano
81004ce1f9 Remove deprecated functions. 2021-08-05 17:36:18 -07:00
Mariano Cano
f643af7095 Update onboarding flow with new pki package. 2021-08-05 15:57:48 -07:00
Mariano Cano
79cf059447 Remove deprecated methods and write all pki files at once. 2021-08-05 15:57:13 -07:00
Mariano Cano
ad4dbd6764 Write all files on save. 2021-08-05 12:58:54 -07:00
Mariano Cano
50f7a0d0c0 Work in progress implementation of PKI with helm support 2021-08-04 20:15:26 -07:00
Mariano Cano
798b90c359 Move linkedca configuration to the main package. 2021-08-04 20:15:04 -07:00
Mariano Cano
de719eb6f0 Add an option to avoid password prompts on step cas
When we are using `step ca init` to create a stepcas RA we don't
have access to the password for verify the provisioner.
2021-08-04 16:16:35 -07:00
Mariano Cano
de292fbed6 Use branch version of linkedca. 2021-08-02 16:08:54 -07:00
Mariano Cano
721459210e Make pki initialization more flexible. 2021-08-02 16:07:30 -07:00
Mariano Cano
384be6e205 Do not show provisioners if they are not required.
For deployment types like linked ca, the list of provisioners in
the ca.json are not required, so we should tag the json as omitempty.
2021-08-02 15:34:39 -07:00
Mariano Cano
b0e0f2b89d Use linkedca GetAdmin and GetProvisioner. 2021-08-02 14:45:59 -07:00
Mariano Cano
91a369f618 Automatically enable admin properly on linked cas. 2021-08-02 12:13:39 -07:00
Mariano Cano
26122a2cbf Enable admin automatically if a token is provided. 2021-08-02 11:48:37 -07:00
Carl Tashian
9572c62520
Merge pull request #657 from smallstep/ra-installer
RA install script
2021-08-02 11:39:02 -07:00
Mariano Cano
5344f42f21 Allow to use the environment variable STEP_CA_TOKEN
For helm charts we want to store the tokens in a secret and load
it from an environment variable.
2021-08-02 11:33:02 -07:00
Mariano Cano
2620c38aee Add is converting provisioners to linkedca.
The ids are required to be able to link admins with provisioners.
2021-07-28 18:05:57 -07:00
Mariano Cano
e62d7988b8 Do not store password on exports. 2021-07-28 15:22:21 -07:00
Mariano Cano
ac363d7824 Add --password-file and --issuer-password-file flags to export. 2021-07-28 15:21:48 -07:00
Mariano Cano
4f27f4b002 Change default ciphersuites to newer names. 2021-07-28 13:56:05 -07:00
Carl Tashian
97af829805 RA install script 2021-07-28 13:55:35 -07:00
Mariano Cano
07f7316851 Add bastion to export. 2021-07-27 19:22:29 -07:00
Mariano Cano
0730a165fd Add collection of files and authority template. 2021-07-27 19:19:58 -07:00
Mariano Cano
c7f8516142 Add to export all the information in the ca.json 2021-07-27 18:29:29 -07:00
Mariano Cano
887423ee6e Update TLS cipher suites. 2021-07-27 18:29:10 -07:00
Carl Tashian
53d08e1f5c
Remove microbadger.com (the website is gone) 2021-07-27 12:03:52 -07:00
Carl Tashian
8f4c833845
Update README.md 2021-07-27 12:01:50 -07:00
Mariano Cano
dc1ec18b52 Create a way to export ca configurations. 2021-07-26 19:01:56 -07:00
Mariano Cano
d0c1530f89 Remove replace of linkedca package. 2021-07-26 14:48:01 -07:00
Mariano Cano
3a00b6b396 Properly marshal a certificate when we send it to linkedca. 2021-07-26 14:31:42 -07:00
Mariano Cano
4ad82a2f76 Check linkedca for revocation. 2021-07-23 16:10:13 -07:00
Herman Slatman
7dad7038c3
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00
Herman Slatman
c6a4c4ecba
Change ACME EAB endpoint 2021-07-23 15:16:11 +02:00
Herman Slatman
c6bfc6eac2
Fix PR comments 2021-07-22 23:48:41 +02:00
Herman Slatman
b65a588d5b
Make authentication work for /admin/eak 2021-07-22 22:43:21 +02:00