SSH-equivalent to "Create a new Certificate Authority or an intermediate CA from your existing PKI"

[brotherdust]

Basically what the title says. There doesn't seem to be a way to generate an SSH-specific CSR for my root to sign. Would be nice if you could make the SSH equivalent to the tutorial here. Having instructions on the following:

1. How to generate CSR's for SSH CA intermediate authority use, both for user and host types.
2. How to get SSHCA working if you didn't use the step ca init --ssh function.

As it is, it would seem the only way to get an SSHCA up and running is to run step ca init --ssh, implying that it cannot be done after step ca init.

This is probably two different use-cases, but the story is similar.
Please advise. Thanks!

[maraino]

Hi @brotherdust, we should add some kind of tutorial to enable SSH certificates on an already initialized SSH. I can give you a short version here. But first, let me clarify your point 1; SSH doesn't have CSR's and does not have intermediate certificates, SSH just needs a private key to be able to sign certificates.

Keeping that into account, you will need to generate a couple of keys, one to sign host certificates and another one to sign ssh certificates:

step crypto keypair  host.pub host.key
step crypto keypair  user.pub user.key

Due to how step-ca currently starts with encrypted keys, you will need to use the same password that you used to encrypt the X.509 certificate key.

After that you will only need to add the following block in your ca.json:

{
    ...
    "ssh": {
        "hostKey": "/path/to/.step/secrets.host.key",
        "userKey": "/path/to/.step/secrets/user.key"
    },
    ...
}

This will get you to a basic configuration, but you will be using the default configuration templates. If you want to change them the easiest way is to initialize a step-ca in a different STEPPATH and copy the templates in the ca.json and the generated templates in $STEPPATH/templates. To use another STEPPATH for a temporal configuration just do:

STEPPATH=/tmp/temp-ca step ca init --ssh

[brotherdust]

Thank you kindly! Do you want to keep this open as an issue with the documentation?

[maraino]

Let's leave it open and it will appear in our next triage meeting.

[brotherdust]

Thanks for this! I'm trying it now.

[tashian]

See also: smallstep/certificates#400

[dopey]

In the not so long term, we agree that the cli needs a command to make this process seamless.

In the mean time, we've updated our docs in a few places so that the manual method is easier to find. I'm leaving the ticket open as something we'd like to return to, but not a short term priority.