Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --skip-csr-signature option #946

Merged
merged 3 commits into from
May 31, 2023
Merged

Add --skip-csr-signature option #946

merged 3 commits into from
May 31, 2023

Conversation

hslatman
Copy link
Member

@hslatman hslatman commented May 25, 2023
edited

When creating a certificate for a public key backed by a KMS that doesn't allow the key to also be used for signing, or in cases where the private key isn't readily available to sign the (internally used) CSR, --skip-csr-signature can be passed to skip signing the (internally used) CSR.

This option is not compatible with --csr, because that requires a CSR with a valid signature to be produced.

Note: this builds on the changes in #945 and depends on the changes in smallstep/crypto#239 to be finalized. After merging the changes from smallstep/crypto#239 smallstep/crypto#248.

Will add example usage when updating with the latest smallstep/crypto.

@hslatman
Add --skip-csr-signature option
a62d6ad 
When creating a certificate for a public key backed by a KMS
that doesn't allow the key to also be used for signing, or in
cases where the private key isn't readily available to sign the
CSR, `--skip-csr-signature` can be passed to skip signing the
(internally used) CSR.

This option is not compatible with `--csr`, because that requires
a CSR with a valid signature to be produced.
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label May 25, 2023
@hslatman hslatman requested a review from maraino May 25, 2023 14:04
maraino
maraino reviewed May 26, 2023
View reviewed changes
Copy link
Collaborator

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The API will change.

Base automatically changed from herman/csr-signer to herman/ca-kms May 26, 2023 04:06
@hslatman
Use NewCertificateFromX509 from smallstep/crypto#248
45ea8b9 
Instead of relying on a new implementation based on generics,
smallstep/crypto#248 was created to have
a minimal implementation for supporting signing public keys.
@hslatman hslatman mentioned this pull request May 26, 2023
Merged
@hslatman hslatman requested a review from maraino May 31, 2023 17:37
maraino
maraino approved these changes May 31, 2023
View reviewed changes
Copy link
Collaborator

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@hslatman hslatman merged commit 4407b77 into herman/ca-kms May 31, 2023
13 checks passed
@hslatman hslatman deleted the herman/skip-csr-signature branch May 31, 2023 17:57
@hslatman hslatman added this to the v0.24.5 milestone Aug 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino maraino approved these changes

Assignees
No one assigned
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.25.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hslatman @maraino