Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A way to fetch the intermediate certificate #207

Open
CMCDragonkai opened this issue Jan 20, 2020 · 12 comments
Open

A way to fetch the intermediate certificate #207

CMCDragonkai opened this issue Jan 20, 2020 · 12 comments
Labels
enhancement roadmap UX
Milestone
Backlog

Comments

@CMCDragonkai
Copy link

What would you like to be added

The step root command gets the root certificate. But what if you want the intermediate certificate? What if you want the entire chain. I would like a command that could fetch the whole path or some part of the path.

Why this is needed

When code signing, the signature requires the path to the intermediate certificate. I'm using openssl cms command to do this atm:

#!/usr/bin/env sh

artifact="$1"
signature="$2"

openssl cms \
  -sign -binary -noattr \
  -in "$artifact" \
  -signer "$CODE_SIGNING_CERT" \
  -inkey "$CODE_SIGNING_KEY" \
  -certfile "$ROOT_TLS_CERT" \
  -outform DER \
  -out "$signature"

And then I realized that the above command requires the intermediate cert too, but it's not available.
@maraino
Copy link
Collaborator

maraino commented Feb 3, 2020

@dopey @CMCDragonkai step certificate inspect --bundle <url> returns the server and intermediate certificate for a URL, an option to solve this can be to add a --raw command to get the actual PEM.

@CMCDragonkai
Copy link
Author

CMCDragonkai commented Feb 3, 2020 via email

@mmalone mmalone mentioned this issue Feb 6, 2020
Closed
@mmalone
Copy link
Contributor

mmalone commented Feb 6, 2020

When you request a certificate from step-ca we actually send you a "bundle" that includes the intermediate certificate along with your new leaf certificate. This is what you want 99% of the time for TLS. So if you're getting a cert from step-ca you can pull the intermediate out of that bundle. The openssl cms command might even accept a bundle and do the right thing without specifying the intermediate separately.

That said, it does seem like we could provide a step ca intermediate command to fetch the current intermediate. I also noticed that the step certificate inspect command doesn't have an option to dump PEM. That could be a nice addition, as you could fetch the intermediate by running step certificate inspect against the step-ca and parsing the intermediate out of the PEM bundle (e.g., step certificate inspect --bundle --format pem https://<ca-url>). I created a new issue (#214) to discuss this addition.

@mmalone
Copy link
Contributor

mmalone commented Feb 6, 2020

Relatedly, I think the /root/{sha} endpoint on step-ca actually returns the intermediate(s) in a separate attribute now. So you might be able to simply curl that endpoint and pipe it through jq to get the intermediate from the CA, as a workaround. @maraino is that correct?

@mmalone mmalone mentioned this issue Feb 6, 2020
Closed
@CMCDragonkai
Copy link
Author

There are plenty of workarounds, but this feature request is just about adding that command to the step CLI so it can be as easy to fetch the intermediate certificate.

@dopey dopey added this to the Short Term Backlog milestone Apr 15, 2020
@ki-pete
Copy link

ki-pete commented Jul 13, 2020

Is there a opportunity to add a second intermediate certificate to the bundle which is send if a certificate is requested?

My current workaround is to use /root and add the second intermediate certificate as second certificate to the array.

@dopey
Copy link
Contributor

dopey commented Jul 13, 2020

Hey @ki-pete! I think you're asking about something more akin to smallstep/certificates#244. Is that right?

If that's the case please +1 or comment on that issue (community support helps us with roadmap / prioritization). If I've misunderstood, please explain the use case in a bit more detail - maybe we need a new issue / ticket for it.

@ki-pete
Copy link

ki-pete commented Jul 14, 2020

Hi @dopey,
thanks a lot. That is what I'm looking for.

@lriley2020
Copy link

+1 was just googling to see if this command existed - would definitely love to see it implemented!

@tashian
Copy link
Contributor

tashian commented Apr 30, 2024

+1 this came up when I was trying to configure a strongSwan VPN server. strongSwan needs the intermediate to be in a separate file from the leaf certificate.

@maraino
Copy link
Collaborator

maraino commented Aug 20, 2024

On step-ca now we have the /intermediates and /intermediates.pem endpoints:

$ curl -s --cacert $(step path)/certs/root_ca.crt https://localhost:8443/1.0/intermediates
{"crts":["-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"]}
$ curl -s --cacert $(step path)/certs/root_ca.crt https://localhost:8443/1.0/intermediates.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

@tashian
Copy link
Contributor

tashian commented Aug 22, 2024

added a note in the docs here: smallstep/docs#345

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement roadmap UX
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
7 participants
@mmalone @tashian @maraino @CMCDragonkai @dopey @lriley2020 @ki-pete