Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: step ca renew does not integrate with step-kms-plugin #1314

Open
andsens opened this issue Nov 15, 2024 · 1 comment
Open

[Bug]: step ca renew does not integrate with step-kms-plugin #1314

andsens opened this issue Nov 15, 2024 · 1 comment
Assignees
@maraino
Labels
bug needs triage Waiting for discussion / prioritization by team

Comments

@andsens
Copy link

andsens commented Nov 15, 2024

Steps to Reproduce

step ca renew --force --out /dev/stdout <(step-kms-plugin certificate --kms tpmkms:storage-directory=$HOME/.step/tpm tpmkms:name=key --bundle) tpmkms:name=key

Your Environment

  • OS - Ubuntu 24.04
  • step CLI Version - Smallstep CLI/0.28.0 (linux/amd64)

Expected Behavior

A new certificate is output to stdout

Actual Behavior

error parsing private key: : no such file or directory

Additional Context

The renew command only works with keys stored in files:

cli/command/ca/renew.go

Lines 646 to 658 in 81a89c1

x509ChainBytes := make([][]byte, len(x509Chain))
for i, c := range x509Chain {
x509ChainBytes[i] = c.Raw
}
opts := []pemutil.Options{pemutil.WithFilename(keyFile)}
if passFile != "" {
opts = append(opts, pemutil.WithPasswordFile(passFile))
}
pk, err := pemutil.Read(keyFile, opts...)
if err != nil {
return tls.Certificate{}, errs.Wrap(err, "error parsing private key")
}

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@andsens andsens added bug needs triage Waiting for discussion / prioritization by team labels Nov 15, 2024
@andsens andsens mentioned this issue Nov 15, 2024
Open
@andsens
Copy link
Author

andsens commented Nov 18, 2024

I built a workaround to this issue by signing a renewal JWT with step-kms-plugin:
https://gist.github.com/andsens/365e81437d47f29fcce861ed11a9114d

@hslatman hslatman assigned hslatman and maraino and unassigned hslatman Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
bug needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andsens @maraino @hslatman