Problems adding X5C Provisioner

[logopk]

From what I've read here I have to run only the following command - done:

step ca provisioner add x5c-smallstep --type x5c --x5c-root $(step path)/certs/root_ca.crt --create

However the following data necessary is not explained anywhere

step ca provisioner add x5c-smallstep --type x5c --x5c-root $(step path)/certs/root_ca.crt --create
✔ Please enter admin name/subject (e.g., name@example.com): <the name of my JWK provisioner>
✔ Provisioner: <the name of my JWK provisioner> (JWK) [kid: <id>]
Please enter the password to decrypt the provisioner key: < my provisioner password>

That leads to an error:

json: cannot unmarshal number into Go value of type ca.AdminClientError

In my ca server log i see a 404 on

time="2022-06-20T15:06:35+02:00" level=warning duration="28.619µs" duration-ns=28619 fields.time="2022-06-20T15:06:35+02:00" method=POST name=ca path=/admin/provisioners protocol=HTTP/2.0 referer= remote-address=192.168.1.106 request-id=cao71msnla6c73de6s1g size=19 status=404 user-agent="Smallstep CLI/0.20.0 (darwin/arm64)" user-id=

Any idea what I'm doing wrong...

Thank you for your help.

[maraino]

Hi @logopk, you're getting a status=404 because your CA is configured to use the ca.json to manage the provisioners. Currently, there're 3 ways to manage those:

• ca.json (default)
• local database, the ca.json authority will look like "authority": {"enableAdmin": true"}
• "linked" database using our free offering on https://smallstep.com/signup, you will control the CA and all the signing but admins and provisioners are stored in our cloud.

step tries to locate the ca.json and if it can't it defaults to the other two options. If you want to continue using the ca.json, you need to go into the server the CA is, run the same command, and then reload the CA (killall -HUP step-ca). You can use the --ca-config flag to point to the ca.json if it is not in $(step path)/config/ca.json.

The only way to move from ca.json to the local DB, is to change the ca.json to set the enableAdmin: "true", and register all your provisioners again. You will also need to create an admin (step ca admin add) to manage those. When you start the CA the one will be automatically created, the subject for the question above will be step, and the password will be the same used to encrypt the intermediate key. You can use that to create your own admin provisioner and your own super admin, and get rid of the automatically created one if you prefer.

At the same time, it's not always a good idea to use the CA root to create an X5C provisioner, and the reason is that anyone that can create a certificate in that CA, for example, anyone in your organization if you're using an OIDC provisioner, will be able to create any kind of certificate. In our paid offering you can add custom policies for each provisioner, but this is not supported in open source.

[logopk]

Thanks for the hint to a different root.

I was successful with the description of https://github.com/joaopedrolourencoaffonso/python_smallstep/blob/fdb1cf019b2be7c0121883590088c1f1045aa37d/7-version/README.md

To add the X5C provisioner I used the path to config/ca.json

step ca provisioner add registration --type x5c --x5c-root x5c/intermediate_crt.pem  --create --ca-config $PWD/ca-staging/config/ca.json

One thing was a bit irritating. I use a different step context for the staging ca.

When I ran the command first, step cli complained that it did not find the templates directory in the context directory.

error loading authority: error reading templates/ssh/include.tpl: stat /Users/logo/.step/authorities/staging/templates/ssh/include.tpl: no such file or directory

I symlinked the staging ca's templates directory to this and the problem went away.

Why does the client look for that in the bootstrap-STEPHOME and not the given ca-config-Path?

[maraino]

We generally consider relative paths on configuration files to be relative to the current $STEPPATH not to the file you're reading, so if you're using online mode is recommended to set that properly using either the --context staging flag or using the command step context select staging assuming that's the name of your context.

You can see the available contexts using step context list and your current STEPPATH running step path.

[logopk]

I see, but I still have a question: why would the client search for templates (that are usually not used with the cli) that are installed and used on the server.
Then: it's asking for an ssh template, while I ried to ad an x5c provisioner?

[maraino]

It doesn't need them, but the code that reads and manipulates the ca.json is part of step-ca, and there will be some code that checks for them and it is not skipped in this case. I will fill an issue about this.

[maraino]

Here it is smallstep/cli#722

[logopk]

Thanks!