smallstep_full_white

Configure step-ca with an RSA certificate chain

Introduction

The step ca init command creates a PKI with ECDSA CA keys. However, for legacy and compliance reasons, some applications require a CA chain that uses RSA keys. In this tutorial, you will replace the default ECDSA CA certificates with an RSA chain.

Note that the step-ca server will always issue an ECDSA P-256 key for its own internal TLS leaf certificate— even if you have an RSA intermediate and root. However, the CA can sign leaf certificates using RSA, ECDSA, or Ed25519 key types, regardless of the key types of the root and intermediate CA.

This tutorial uses RSA-PSS and SHA256 for the signature algorithm. RSA-PSS appeared in 2003 in RFC 3447. Both RFC 3447 and the updated RFC 8017 recommend RSA-PSS (aka RSASSA-PSS) over RSA PKCS#1 v1.5. RSA-PSS has a security proof and is (in theory) more robust than RSA PKCS #1 v1.5. Nevertheless, PKCS #1 v1.5 has no known security weaknesses as of May 2023.

Requirements

  • Open Source - This tutorial assumes you have installed the step and step-ca software, and that you've just initialized a CA using the steps in Getting Started.
  • Smallstep Certificate Manager - Please get in touch with Smallstep Customer Success if you want to use a RSA certificate chain.

Instructions

First, stop your step-ca server if it is running.

Next, delete your existing PKI and create RSA root and intermediate certificates and keys. This step will overwrite your existing CA.

cat <<EOF > rsa_root_ca.tpl
{
  "subject": {{ toJson .Subject }},
  "issuer": {{ toJson .Subject }},
  "keyUsage": ["certSign", "crlSign"],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 1
  }
  {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    , "signatureAlgorithm": "SHA256-RSAPSS"
  {{- end }}
}
EOF
cat <<EOF > rsa_intermediate_ca.tpl
{
  "subject": {{ toJson .Subject }},
  "issuer": {{ toJson .Subject }},
  "keyUsage": ["certSign", "crlSign"],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 0
  }
  {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    , "signatureAlgorithm": "SHA256-RSAPSS"
  {{- end }}
}
EOF
step certificate create "Example Root CA" \
    $(step path)/certs/root_ca.crt \
    $(step path)/secrets/root_ca_key \
    --template rsa_root_ca.tpl \
    --kty RSA \
    --not-after 87660h \
    --size 3072
step certificate create "Example Intermediate CA" \
    $(step path)/certs/intermediate_ca.crt \
    $(step path)/secrets/intermediate_ca_key \
    --ca $(step path)/certs/root_ca.crt \
    --ca-key $(step path)/secrets/root_ca_key \
    --template rsa_intermediate_ca.tpl \
    --kty RSA \
    --not-after 87660h \
    --size 3072

Change the certificate subject names as desired. You'll be prompted to supply a password to encrypt your private keys.

You can now restart step-ca server.

Optional: Restricting issuance to RSA

By default, the CA will sign certificate requests for RSA, ECDSA, or Ed25519 keys. You may want to restrict the CA to issuing RSA leaf certificates only.

Create a CA template called rsa.tpl:

{
  "subject": {{ toJson .Subject }},
  "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["dataEncipherment", "digitalSignature"],
{{- else }}
  {{ fail "Key type must be RSA. Try again with --kty=RSA" }}
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}