Remotely creating a ssh host certificate

[fa-ndubreuilh]

Hello,

We're using smallstep to create and renew certificates. Everything is working.
This morning I added the SSH CA to the ca.json file:
"ssh": { "hostKey": "/home/mysuer/.step/secrets/ssh_host_ca_key", "userKey": "/home/myuser/.step/secrets/ssh_user_ca_key" },

I can succesfully create an SSH host certificate on the machine that hosts the step-ca using the following command (usingJWK provisioner):
step ssh certificate --host mymachine.exemple ssh_host_ecdsa_key

However, when I try to do it remotely (using JWK again):
step ssh certificate --ca-url https://my_ca_url --root root_ca.pem --host my_host ssh_host_ecdsa_key
it doesn't work and the logs say:
"error":"authority.Authorize: authority.authorizeSSHSign: provisioner not found or invalid audience

Same when I try to renew my previously generated certificat using this this SSHPOP provisioner:

step ssh renew --force --ca-url=https://my_ca_url --root root.pem /etc/ssh/ssh_host_ecdsa_key-cert.pub /etc/ssh/ssh_host_ecdsa_key

authority.Authorize: authority.authorizeSSHRenew: provisioner not found or invalid audience

Does anyone have an idea where the issue could come from ? I already set the "EnableSSHCA" in all my provisioners claims.

Thank you!

SSHPOP configuration (if it can help):

{
                                "type": "SSHPOP",
                                "name": "sshpop",
                                "claims": {
                                        "enableSSHCA": true,
                                        "disableRenewal": false,
                                        "allowRenewalAfterExpiry": false
                                }
                        },
}

[tashian]

What provisioner are you using to issue the certificate? On the remote machine, does step ca provisioner list output the same thing as on the CA?

[fa-ndubreuilh]

Hello,
I closed the issue, i found the solution.
For some reasons the step ca domain names in ca.json was in capital letters, i guess step is case sensitive in that case, because if you don't use capital letters in the --ca-url, it won't work.
Anyway, i removed the capital letters and it is working as expected.

And to answer your question i was using the JWK provider.

Thank you for your answers