Replies: 1 comment 2 replies
-
|
Yes, that makes sense. Because of some of the design constraints of Step CA, and the fact that it was originally built for X.509 and SSH was added later, there is no way to remove X.509 from a Step CA instance. But, you could always create a CA that you simply never use for X.509, if you want to only use it for SSH. |
Beta Was this translation helpful? Give feedback.
-
|
OK, clear. Is it possible then to configure an OIDC provisioner in a way that it allows users only to issue SSH certificates? |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, you could just attach an X.509 template that always fails. |
Beta Was this translation helpful? Give feedback.
-
Hey there, once again.
I have learned about step-ca that the ssh certificates can be "switched on and off" for a CA at the point in time initializing the CA, or even the appropriate root CA and its key can be integrated with an existing CA not using this feature before, by manually editing the ca.json file (or modifying Helm values like in my case).
As the certificates used for SSH are completely on their own, and there is no possibility of CA chaining for SSH certificates, wouldn't it make sense inside an organization to have one standalone step-ca instance dedicated only to be used with SSH certificates? Is it even possible to have a step-ca WITHOUT x509 certificates, just and only taking care of SSH? A benefit of such a standalone setup would be that one could configure just exactly one provisioner (OIDC) that could be used as the only one and solely for self-issuing SSH certificates.
Does that make sense and is that possible?
Beta Was this translation helpful? Give feedback.
All reactions