Merge pull request #1566 from smallstep/herman/fix-init-with-duplicate-provisioner-name
Fix `step ca init` with duplicate provisioner name (`--provisioner acme --acme`)pull/1572/head
commit
06750b03fe
@ -0,0 +1,313 @@
|
||||
package pki
|
||||
|
||||
import (
|
||||
"context"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/smallstep/certificates/authority/admin"
|
||||
admindb "github.com/smallstep/certificates/authority/admin/db/nosql"
|
||||
authconfig "github.com/smallstep/certificates/authority/config"
|
||||
"github.com/smallstep/certificates/authority/provisioner"
|
||||
"github.com/smallstep/certificates/cas/apiv1"
|
||||
"github.com/smallstep/certificates/db"
|
||||
"github.com/smallstep/nosql"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.step.sm/cli-utils/step"
|
||||
)
|
||||
|
||||
func withDBDataSource(t *testing.T, dataSource string) func(c *authconfig.Config) error {
|
||||
return func(c *authconfig.Config) error {
|
||||
if c == nil || c.DB == nil {
|
||||
require.Fail(t, "withDBDataSource prerequisites not met")
|
||||
}
|
||||
c.DB.DataSource = dataSource
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func TestPKI_GenerateConfig(t *testing.T) {
|
||||
var preparePKI = func(t *testing.T, opts ...Option) *PKI {
|
||||
o := apiv1.Options{
|
||||
Type: "softcas",
|
||||
IsCreator: true,
|
||||
}
|
||||
|
||||
// TODO(hs): invoking `New` doesn't perform all operations that are executed
|
||||
// when `ca init` is executed. Ideally this logic should be handled in one
|
||||
// place and probably inside of the PKI initialization. For testing purposes
|
||||
// the missing operations are faked by `setKeyPair`.
|
||||
p, err := New(o, opts...)
|
||||
require.NoError(t, err)
|
||||
|
||||
// setKeyPair sets a predefined JWK and a default JWK provisioner. This is one
|
||||
// of the things performed in the `ca init` code that's not part of `New`, but
|
||||
// performed after that in p.GenerateKeyPairs`. We're currently using the same
|
||||
// JWK for every test to keep test variance small: we're not testing JWK generation
|
||||
// here after all. It's a bit dangerous to redefine the function here, but it's
|
||||
// the simplest way to make this fully testable without refactoring the init now.
|
||||
// The password for the predefined encrypted key is \x01\x03\x03\x07.
|
||||
setKeyPair(t, p)
|
||||
|
||||
return p
|
||||
}
|
||||
type args struct {
|
||||
opt []ConfigOption
|
||||
}
|
||||
type test struct {
|
||||
pki *PKI
|
||||
args args
|
||||
want *authconfig.Config
|
||||
wantErr bool
|
||||
}
|
||||
var tests = map[string]func(t *testing.T) test{
|
||||
"ok/simple": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.options.deploymentType = StandaloneDeployment
|
||||
pki.options.provisioner = "default-prov"
|
||||
return test{
|
||||
pki: pki,
|
||||
args: args{
|
||||
[]ConfigOption{},
|
||||
},
|
||||
want: &authconfig.Config{
|
||||
Address: "127.0.0.1:9000",
|
||||
InsecureAddress: "",
|
||||
DNSNames: []string{"127.0.0.1"},
|
||||
AuthorityConfig: &authconfig.AuthConfig{
|
||||
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||
EnableAdmin: false,
|
||||
Provisioners: provisioner.List{
|
||||
&provisioner.JWK{
|
||||
Type: "JWK",
|
||||
Name: "default-prov",
|
||||
},
|
||||
},
|
||||
},
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(step.Path(), "db"),
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-acme": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.options.deploymentType = StandaloneDeployment
|
||||
pki.options.provisioner = "default-prov"
|
||||
pki.options.enableACME = true
|
||||
return test{
|
||||
pki: pki,
|
||||
args: args{
|
||||
[]ConfigOption{},
|
||||
},
|
||||
want: &authconfig.Config{
|
||||
Address: "127.0.0.1:9000",
|
||||
InsecureAddress: "",
|
||||
DNSNames: []string{"127.0.0.1"},
|
||||
AuthorityConfig: &authconfig.AuthConfig{
|
||||
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||
EnableAdmin: false,
|
||||
Provisioners: provisioner.List{
|
||||
&provisioner.JWK{
|
||||
Type: "JWK",
|
||||
Name: "default-prov",
|
||||
},
|
||||
&provisioner.ACME{
|
||||
Type: "ACME",
|
||||
Name: "acme",
|
||||
},
|
||||
},
|
||||
},
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(step.Path(), "db"),
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-acme-and-double-provisioner-name": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.options.deploymentType = StandaloneDeployment
|
||||
pki.options.provisioner = "acme"
|
||||
pki.options.enableACME = true
|
||||
return test{
|
||||
pki: pki,
|
||||
args: args{
|
||||
[]ConfigOption{},
|
||||
},
|
||||
want: &authconfig.Config{
|
||||
Address: "127.0.0.1:9000",
|
||||
InsecureAddress: "",
|
||||
DNSNames: []string{"127.0.0.1"},
|
||||
AuthorityConfig: &authconfig.AuthConfig{
|
||||
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||
EnableAdmin: false,
|
||||
Provisioners: provisioner.List{
|
||||
&provisioner.JWK{
|
||||
Type: "JWK",
|
||||
Name: "acme",
|
||||
},
|
||||
&provisioner.ACME{
|
||||
Type: "ACME",
|
||||
Name: "acme-1",
|
||||
},
|
||||
},
|
||||
},
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(step.Path(), "db"),
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-ssh": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.options.deploymentType = StandaloneDeployment
|
||||
pki.options.provisioner = "default-prov"
|
||||
pki.options.enableSSH = true
|
||||
return test{
|
||||
pki: pki,
|
||||
args: args{
|
||||
[]ConfigOption{},
|
||||
},
|
||||
want: &authconfig.Config{
|
||||
Address: "127.0.0.1:9000",
|
||||
InsecureAddress: "",
|
||||
DNSNames: []string{"127.0.0.1"},
|
||||
AuthorityConfig: &authconfig.AuthConfig{
|
||||
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||
EnableAdmin: false,
|
||||
Provisioners: provisioner.List{
|
||||
&provisioner.JWK{
|
||||
Type: "JWK",
|
||||
Name: "default-prov",
|
||||
},
|
||||
&provisioner.SSHPOP{
|
||||
Type: "SSHPOP",
|
||||
Name: "sshpop",
|
||||
},
|
||||
},
|
||||
},
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(step.Path(), "db"),
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-ssh-and-double-provisioner-name": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.options.deploymentType = StandaloneDeployment
|
||||
pki.options.provisioner = "sshpop"
|
||||
pki.options.enableSSH = true
|
||||
return test{
|
||||
pki: pki,
|
||||
args: args{
|
||||
[]ConfigOption{},
|
||||
},
|
||||
want: &authconfig.Config{
|
||||
Address: "127.0.0.1:9000",
|
||||
InsecureAddress: "",
|
||||
DNSNames: []string{"127.0.0.1"},
|
||||
AuthorityConfig: &authconfig.AuthConfig{
|
||||
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||
EnableAdmin: false,
|
||||
Provisioners: provisioner.List{
|
||||
&provisioner.JWK{
|
||||
Type: "JWK",
|
||||
Name: "sshpop",
|
||||
},
|
||||
&provisioner.SSHPOP{
|
||||
Type: "SSHPOP",
|
||||
Name: "sshpop-1",
|
||||
},
|
||||
},
|
||||
},
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(step.Path(), "db"),
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-admin": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.options.deploymentType = StandaloneDeployment
|
||||
pki.options.provisioner = "default-prov"
|
||||
pki.options.enableAdmin = true
|
||||
tempDir := t.TempDir()
|
||||
return test{
|
||||
pki: pki,
|
||||
args: args{
|
||||
[]ConfigOption{withDBDataSource(t, filepath.Join(tempDir, "db"))},
|
||||
},
|
||||
want: &authconfig.Config{
|
||||
Address: "127.0.0.1:9000",
|
||||
InsecureAddress: "",
|
||||
DNSNames: []string{"127.0.0.1"},
|
||||
AuthorityConfig: &authconfig.AuthConfig{
|
||||
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||
EnableAdmin: true,
|
||||
Provisioners: provisioner.List{}, // when admin is enabled, provisioner list is expected to be empty
|
||||
},
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(tempDir, "db"),
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
}
|
||||
for name, run := range tests {
|
||||
tc := run(t)
|
||||
t.Run(name, func(t *testing.T) {
|
||||
got, err := tc.pki.GenerateConfig(tc.args.opt...)
|
||||
if tc.wantErr {
|
||||
assert.NotNil(t, err)
|
||||
assert.Nil(t, got)
|
||||
return
|
||||
}
|
||||
|
||||
assert.Nil(t, err)
|
||||
if assert.NotNil(t, got) {
|
||||
assert.Equal(t, tc.want.Address, got.Address)
|
||||
assert.Equal(t, tc.want.InsecureAddress, got.InsecureAddress)
|
||||
assert.Equal(t, tc.want.DNSNames, got.DNSNames)
|
||||
assert.Equal(t, tc.want.DB, got.DB)
|
||||
if assert.NotNil(t, tc.want.AuthorityConfig) {
|
||||
assert.Equal(t, tc.want.AuthorityConfig.DeploymentType, got.AuthorityConfig.DeploymentType)
|
||||
assert.Equal(t, tc.want.AuthorityConfig.EnableAdmin, got.AuthorityConfig.EnableAdmin)
|
||||
if numberOfProvisioners := len(tc.want.AuthorityConfig.Provisioners); numberOfProvisioners > 0 {
|
||||
if assert.Len(t, got.AuthorityConfig.Provisioners, numberOfProvisioners) {
|
||||
for i, p := range tc.want.AuthorityConfig.Provisioners {
|
||||
assert.Equal(t, p.GetType(), got.AuthorityConfig.Provisioners[i].GetType())
|
||||
assert.Equal(t, p.GetName(), got.AuthorityConfig.Provisioners[i].GetName())
|
||||
}
|
||||
}
|
||||
}
|
||||
if tc.want.AuthorityConfig.EnableAdmin {
|
||||
_db, err := db.New(tc.want.DB)
|
||||
require.NoError(t, err)
|
||||
defer _db.Shutdown()
|
||||
|
||||
adminDB, err := admindb.New(_db.(nosql.DB), admin.DefaultAuthorityID)
|
||||
require.NoError(t, err)
|
||||
|
||||
provs, err := adminDB.GetProvisioners(context.Background())
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.NotEmpty(t, provs) // currently about the best we can do in terms of checks
|
||||
}
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
@ -0,0 +1,82 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"acme","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","options":{"x509":{},"ssh":{}}}
|
||||
- {"type":"ACME","name":"acme-1"}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
@ -0,0 +1,104 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
ssh:
|
||||
hostKey: /home/step/secrets/ssh_host_ca_key
|
||||
userKey: /home/step/secrets/ssh_user_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"sshpop","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
|
||||
- {"type":"SSHPOP","name":"sshpop-1","claims":{"enableSSHCA":true}}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# ssh_host_ca contains the text of the public ssh key for the SSH root CA
|
||||
ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=
|
||||
|
||||
# ssh_user_ca contains the text of the public ssh key for the SSH root CA
|
||||
ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
ssh:
|
||||
# ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
|
||||
host_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# ssh_user_ca_key contains the contents of your encrypted SSH User CA key
|
||||
user_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
Loading…
Reference in New Issue