Secure Your Apple Fleet with Jamf + Smallstep

Oct 28

Register today

Configure step-ca with an RSA certificate chain

Introduction

The step ca init command creates a PKI with ECDSA CA keys. However, for legacy and compliance reasons, some applications require a CA chain that uses RSA keys. In this tutorial, you will replace the default ECDSA CA certificates with an RSA chain.

Note that the step-ca server will always issue an ECDSA P-256 key for its own internal TLS leaf certificate— even if you have an RSA intermediate and root. However, the CA can sign leaf certificates using RSA, ECDSA, or Ed25519 key types, regardless of the key types of the root and intermediate CA.

Before you begin

This tutorial uses RSA-PSS and SHA256 for the signature algorithm. RSA-PSS appeared in 2003 in RFC 3447. Both RFC 3447 and the updated RFC 8017 recommend RSA-PSS (aka RSASSA-PSS) over RSA PKCS#1 v1.5 (from 1993). RSA-PSS has a security proof and is (in theory) more robust than RSA PKCS #1 v1.5.

While PKCS #1 v1.5 has no known security weaknesses as of October 2025, it is not recommended for new applications. However, for compatibility with some Apple use cases, RSA PKCS #1 v1.5 may be necessary, so we've provided alternative instructions below.

Requirements

  • Open Source - This tutorial assumes you have installed the step and step-ca software, and that you've just initialized a CA using the steps in Getting Started.
  • Smallstep Certificate Manager - Please get in touch with Smallstep Customer Success if you want to use a RSA certificate chain.

Instructions

First, stop your step-ca server if it is running.

Next, delete your existing PKI and create RSA root and intermediate certificates and keys. This step will overwrite your existing CA.

cat <<EOF > rsa_root_ca.tpl
{
  "subject": {{ toJson .Subject }},
  "issuer": {{ toJson .Subject }},
  "keyUsage": ["certSign", "crlSign"],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 1
  }
  {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    , "signatureAlgorithm": "SHA256-RSAPSS"
  {{- end }}
}
EOF
cat <<EOF > rsa_intermediate_ca.tpl
{
  "subject": {{ toJson .Subject }},
  "issuer": {{ toJson .Subject }},
  "keyUsage": ["certSign", "crlSign"],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 0
  }
  {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    , "signatureAlgorithm": "SHA256-RSAPSS"
  {{- end }}
}
EOF
step certificate create "Example Root CA" \
    $(step path)/certs/root_ca.crt \
    $(step path)/secrets/root_ca_key \
    --template rsa_root_ca.tpl \
    --kty RSA \
    --not-after 87660h \
    --size 3072
step certificate create "Example Intermediate CA" \
    $(step path)/certs/intermediate_ca.crt \
    $(step path)/secrets/intermediate_ca_key \
    --ca $(step path)/certs/root_ca.crt \
    --ca-key $(step path)/secrets/root_ca_key \
    --template rsa_intermediate_ca.tpl \
    --kty RSA \
    --not-after 87660h \
    --size 3072

Change the certificate subject names as desired. You'll be prompted to supply a password to encrypt your private keys.

You may now restart step-ca server.

Although the algorithm is widely deprecated, RSA PKCS #1 v1.5 CAs may be necessary for some Apple clients.

First, stop your step-ca server if it is running.

Next, delete your existing PKI and create RSA root and intermediate certificates and keys. This step will overwrite your existing CA.

step certificate create "Example Root CA" \
    $(step path)/certs/root_ca.crt \
    $(step path)/secrets/root_ca_key \
    --kty RSA \
    --not-after 87660h \
    --size 3072
step certificate create "Example Intermediate CA" \
    $(step path)/certs/intermediate_ca.crt \
    $(step path)/secrets/intermediate_ca_key \
    --ca $(step path)/certs/root_ca.crt \
    --ca-key $(step path)/secrets/root_ca_key \
    --kty RSA \
    --not-after 87660h \
    --size 3072

Change the certificate subject names as desired. You'll be prompted to supply a password to encrypt your private keys.

You may now restart step-ca server.

Optional: Restricting issuance to RSA

By default, the CA will sign certificate requests for RSA, ECDSA, or Ed25519 keys. You may want to restrict the CA to issuing RSA leaf certificates only.

Create a CA template called rsa.tpl:

{
  "subject": {{ toJson .Subject }},
  "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["dataEncipherment", "digitalSignature"],
{{- else }}
  {{ fail "Key type must be RSA. Try again with --kty=RSA" }}
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}

Finally, configure step-ca to use the template.

Last updated on October 22, 2025