Comments (2)
Hi @mirex05, this is definitively a bug. Are you trying to set the template data or just a template?
If it is a template, it probably should be:
{
"subject": {
"country": "US",
"organization": "ACME Corp",
"organizationalUnit": "ACME Team",
"commonName": {{ toJson .Subject.CommonName }}
},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"]
}
The "issuer" will always be overwritten when we sign the certificate, so you don't really need it. The common name should be without quotes because you are using toJson
, and the key usage keyEncipherment
is only for RSA keys.
It doesn't make sense to use the template data without a template. The template data is information that you add in the ca.json that can be consumed by a template, for example, with this template data:
"templateData": {
"country": "US",
"organization": "Acme Corp.",
"organizationalUnit": "Coyote"
}
You can create a template that sets the subject like this:
{
"subject": {
"country": {{ toJson .country }},
"organization": {{ toJson .organization }},
"organizationalUnit": {{ toJson .organizationalUnit }},
"commonName": {{ toJson .Subject.CommonName }}
},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"]
}
The toJson
function is not really required. You can do "{{ .country }}"
, but it sanitizes the data in the variables so nothing unexpected is injected.
from cli.
Hi @maraino, currently it's only a lab before setting up step
CA to production, so i just doing some experiments and see how it works. Thanks for detailed explanation about the difference between template and template data, now it's definitely clear to me what should i use.
from cli.
Related Issues (20)
- `step certificate format` breaks on leading newlines in a PEM HOT 1
- Add the ability to set friendly name when using `step certificate p12` HOT 2
- AWS provisioner should use configured certificates in the CA
- [Bug]: Updating provisioner configuration makes template configuration disappear HOT 4
- [Bug]: Console flow broken for Azure AD (Entra) HOT 1
- [Bug]: step ssh certificate only adds the cert to ssh-agent and not the private key HOT 6
- [Bug]: `step ca init --provisioner acme --acme` will create an invalid config
- [Bug]: cosign documentation has wrong identity HOT 1
- Cloudflare zero trust service token HOT 2
- Stable URL to the latest release files HOT 2
- `step certificate inspect` outputs to stdout, despite docs saying otherwise
- Unknown public key type ERROR- Any chances to add support of gost-engine (openssl-gost-engine RPM or libengine-gost-openssl DEB)? HOT 1
- [Bug]: `v0.25.0` causes error (`error reading <kms_id/alias>: no such file or directory`) when signing intermediate CA certificate w/ AWS KMS HOT 3
- [Bug]: Step CLI panics when inspecting improperly encoded certificate HOT 3
- [Bug]: cannot install certs on debian HOT 1
- [Bug]: document for leaf certificate template contains typo HOT 1
- [Bug]: `step ca provisioner update` fails for JWK provisioner if `--create` is specified
- [docs]: usage of 'ca token' unclear
- [docs]: Installation routine not working - cosign verification failed HOT 2
- [Bug]: certificate p12 = The format of the file is invalid. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.