Comments (2)
maraino
commented on June 29, 2024
I've never used Cloudflare services, so the following can be wrong.
If I understand correctly, you want to use step-ca as an RA (or a CA) behind Cloudflare Zero Trust and then use commands like step ca certificate ... to access that step-ca. And for that, you need to provide the headers CF-Access-Client-Id and CF-Access-Client-Secret. Right?
So initially, add support to step CLI to pass random headers or cookies to all the requests going to step-ca. For example, when you run:
step ca certificate \
--header 'CF-Access-Client-Id: foo' \
--header 'CF-Access-Client-Secret: bar' \
localhost local.crt local.keyThis could make an HTTP request to /provisioners with those headers and then a request to /sign with the same headers.
But looking further, I think the first request to /provisioners will return the response of step-ca and set-cookie header that we can use in the call to /sign instead of the client ID and secret. To inject that, Cloudflare will have to terminate TLS and then forward everything through a new TLS connection to step-ca. Something like:
step-cli <= TLS => CloudFlare Terminates TLS <= TLS (private pki) => step-ca
Is this correct? Is the first TLS connection using Web PKI or Private PKI?
If I'm correct, a few operations won't directly work. For example, step ca renew ... won't work because it will be using mTLS, but you would be able to use the flag --mtls=false to skip mTLS and send an Authorization header a JWT with the certificate signed by the private key.
Can you please describe the flow of requests and point me in the right direction?
from cli.
jonathon2nd
commented on June 29, 2024
Thinking about it more this is not something we want to use for this RA, as it will be connected to via step-issuer on public k8s clusters. I am sure that setting that up with zero trust will be a pain if not impossible. The whole reason for a separate provisioner on issuing ca for this separate external registration authority is to have a secure endpoint with minimized risk. So this may just be unnecessary?
I am not really that knowledgeable in it, I just use it for various things.
from cli.
Related Issues (20)
- Add the ability to set friendly name when using `step certificate p12` HOT 2
- AWS provisioner should use configured certificates in the CA
- [Bug]: Updating provisioner configuration makes template configuration disappear HOT 4
- [Bug]: Console flow broken for Azure AD (Entra) HOT 1
- [Bug]: step ssh certificate only adds the cert to ssh-agent and not the private key HOT 6
- [Bug]: `step ca init --provisioner acme --acme` will create an invalid config
- [Bug]: cosign documentation has wrong identity HOT 1
- Stable URL to the latest release files HOT 2
- `step certificate inspect` outputs to stdout, despite docs saying otherwise
- Unknown public key type ERROR- Any chances to add support of gost-engine (openssl-gost-engine RPM or libengine-gost-openssl DEB)? HOT 1
- [Bug]: `v0.25.0` causes error (`error reading <kms_id/alias>: no such file or directory`) when signing intermediate CA certificate w/ AWS KMS HOT 3
- [Bug]: Step CLI panics when inspecting improperly encoded certificate HOT 3
- [Bug]: cannot install certs on debian HOT 1
- [Bug]: document for leaf certificate template contains typo HOT 1
- [Bug]: `step ca provisioner update` fails for JWK provisioner if `--create` is specified
- [docs]: usage of 'ca token' unclear
- [docs]: Installation routine not working - cosign verification failed HOT 2
- [Bug]: certificate p12 = The format of the file is invalid. HOT 4
- Default private ECC key generated via step is not compatible with .net framework. Giving unsupported PrivateKey exception of type 'System.NotSupportedException' HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.