step ca policy acme x509 deny cn
Name
step ca policy acme x509 deny cn -- add or remove common names
Usage
step ca policy acme x509 deny cn <name> [--remove]
[--provisioner=<name>] [--eab-key-id=<eab-key-id>] [--eab-key-reference=<eab-key-reference>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-subject=<subject>]
[--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>]
Description
step ca policy acme x509 deny cn command manages common names in policies
Options
--provisioner=name
The provisioner name
--eab-key-id=value
An ACME EAB Key ID.
--eab-key-reference=value
An ACME EAB Key Reference.
--remove removes the provided Common Names from the policy instead of adding them
--admin-cert=chain
Admin certificate (chain
) in PEM format to store in the 'x5c' header of a JWT.
--admin-key=file
Private key file
, used to sign a JWT, corresponding to the admin certificate that will
be stored in the 'x5c' header.
--admin-subject=subject
, --admin-name=subject
The admin subject
to use for generating admin credentials.
--admin-provisioner=name
, --admin-issuer=name
The provisioner name
to use for generating admin credentials.
--admin-password-file=file
, --password-file=file
The path to the file
containing the password to decrypt the one-time token
generating key.
--ca-url=URI
URI
of the targeted Step Certificate Authority.
--root=file
The path to the PEM file
used as the root certificate authority.
--context=name
The context name
to apply for the given command.
Examples
Allow "My CA Name" as Common Name in X.509 certificates on authority level
$ step ca policy authority x509 allow cn "My CA Name"
Allow www.example.com as Common Name in X.509 certificates on authority level. This can be used in case www.example.com is not allowed as a DNS SAN, but is allowed to be used in the Common Name.
$ step ca policy authority x509 allow cn www.example.com
Remove www.example.com from allowed Common Names in X.509 certificates on authority level.
$ step ca policy authority x509 allow cn www.example.com --remove
Deny "My Bad CA Name" as Common Name in X.509 certificates on authority level
$ step ca policy authority x509 deny cn "My Bad CA Name"