Add support for the disableSmallstepExtensions claim

This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.

Fixes #620

authority/config/config.go

@@ -35,6 +35,9 @@ var (
 	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
 	// for all provisioners.
 	DefaultEnableSSHCA = false
+	// DefaultDisableSmallstepExtensions disables the Smallstep extensions in
+	// the certificate.
+	DefaultDisableSmallstepExtensions = false
 	// DefaultCRLCacheDuration is the default cache duration for the CRL.
 	DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour}
 	// DefaultCRLExpiredDuration is the default duration in which expired
@@ -43,18 +46,19 @@ var (
 	// GlobalProvisionerClaims is the default duration that expired certificates
 	// remain in the CRL after expiration.
 	GlobalProvisionerClaims = provisioner.Claims{
-		MinTLSDur:               &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
-		MaxTLSDur:               &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultTLSDur:           &provisioner.Duration{Duration: 24 * time.Hour},
-		MinUserSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:           &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:       &provisioner.Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:           &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:       &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:             &DefaultEnableSSHCA,
-		DisableRenewal:          &DefaultDisableRenewal,
-		AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
+		MinTLSDur:                  &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
+		MaxTLSDur:                  &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultTLSDur:              &provisioner.Duration{Duration: 24 * time.Hour},
+		MinUserSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:              &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:          &provisioner.Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:              &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:          &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:                &DefaultEnableSSHCA,
+		DisableRenewal:             &DefaultDisableRenewal,
+		AllowRenewalAfterExpiry:    &DefaultAllowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &DefaultDisableSmallstepExtensions,
 	}
 )
 

authority/provisioner/acme.go

@@ -257,7 +257,7 @@ func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 	opts := []SignOption{
 		p,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeACME, p.Name, ""),
+		newProvisionerExtensionOption(TypeACME, p.Name, "").WithControllerOptions(p.ctl),
 		newForceCNOption(p.ForceCN),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators

authority/provisioner/aws.go

@@ -515,7 +515,7 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),
+		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},

authority/provisioner/azure.go

@@ -398,7 +398,7 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID),
+		newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},

authority/provisioner/claims.go

@@ -26,6 +26,9 @@ type Claims struct {
 	// Renewal properties
 	DisableRenewal          *bool `json:"disableRenewal,omitempty"`
 	AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`
+
+	// Other properties
+	DisableSmallstepExtensions *bool `json:"disableSmallstepExtensions,omitempty"`
 }
 
 // Claimer is the type that controls claims. It provides an interface around the
@@ -47,20 +50,22 @@ func (c *Claimer) Claims() Claims {
 	disableRenewal := c.IsDisableRenewal()
 	allowRenewalAfterExpiry := c.AllowRenewalAfterExpiry()
 	enableSSHCA := c.IsSSHCAEnabled()
+	disableSmallstepExtensions := c.IsDisableSmallstepExtensions()
 
 	return Claims{
-		MinTLSDur:               &Duration{c.MinTLSCertDuration()},
-		MaxTLSDur:               &Duration{c.MaxTLSCertDuration()},
-		DefaultTLSDur:           &Duration{c.DefaultTLSCertDuration()},
-		MinUserSSHDur:           &Duration{c.MinUserSSHCertDuration()},
-		MaxUserSSHDur:           &Duration{c.MaxUserSSHCertDuration()},
-		DefaultUserSSHDur:       &Duration{c.DefaultUserSSHCertDuration()},
-		MinHostSSHDur:           &Duration{c.MinHostSSHCertDuration()},
-		MaxHostSSHDur:           &Duration{c.MaxHostSSHCertDuration()},
-		DefaultHostSSHDur:       &Duration{c.DefaultHostSSHCertDuration()},
-		EnableSSHCA:             &enableSSHCA,
-		DisableRenewal:          &disableRenewal,
-		AllowRenewalAfterExpiry: &allowRenewalAfterExpiry,
+		MinTLSDur:                  &Duration{c.MinTLSCertDuration()},
+		MaxTLSDur:                  &Duration{c.MaxTLSCertDuration()},
+		DefaultTLSDur:              &Duration{c.DefaultTLSCertDuration()},
+		MinUserSSHDur:              &Duration{c.MinUserSSHCertDuration()},
+		MaxUserSSHDur:              &Duration{c.MaxUserSSHCertDuration()},
+		DefaultUserSSHDur:          &Duration{c.DefaultUserSSHCertDuration()},
+		MinHostSSHDur:              &Duration{c.MinHostSSHCertDuration()},
+		MaxHostSSHDur:              &Duration{c.MaxHostSSHCertDuration()},
+		DefaultHostSSHDur:          &Duration{c.DefaultHostSSHCertDuration()},
+		EnableSSHCA:                &enableSSHCA,
+		DisableRenewal:             &disableRenewal,
+		AllowRenewalAfterExpiry:    &allowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &disableSmallstepExtensions,
 	}
 }
 
@@ -110,6 +115,15 @@ func (c *Claimer) IsDisableRenewal() bool {
 	return *c.claims.DisableRenewal
 }
 
+// IsDisableSmallstepExtensions returns if the Smallstep extensions, like the
+// provisioner extension, should be excluded from the certificate.
+func (c *Claimer) IsDisableSmallstepExtensions() bool {
+	if c.claims == nil || c.claims.DisableSmallstepExtensions == nil {
+		return *c.global.DisableSmallstepExtensions
+	}
+	return *c.claims.DisableSmallstepExtensions
+}
+
 // AllowRenewalAfterExpiry returns if the renewal flow is authorized if the
 // certificate is expired. If the property is not set within the provisioner
 // then the global value from the authority configuration will be used.

authority/provisioner/gcp.go

@@ -270,7 +270,7 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),
+		newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},

authority/provisioner/jwk.go

@@ -187,7 +187,7 @@ func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		self,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
+		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		commonNameValidator(claims.Subject),

authority/provisioner/k8sSA.go

@@ -238,7 +238,7 @@ func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),
+		newProvisionerExtensionOption(TypeK8sSA, p.Name, "").WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},

authority/provisioner/nebula.go

@@ -150,7 +150,7 @@ func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, e
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeNebula, p.Name, ""),
+		newProvisionerExtensionOption(TypeNebula, p.Name, "").WithControllerOptions(p.ctl),
 		profileLimitDuration{
 			def:       p.ctl.Claimer.DefaultTLSCertDuration(),
 			notBefore: crt.Details.NotBefore,

authority/provisioner/oidc.go

@@ -351,7 +351,7 @@ func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, err
 		o,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
+		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID).WithControllerOptions(o.ctl),
 		profileDefaultDuration(o.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},

authority/provisioner/scep.go

@@ -190,7 +190,7 @@ func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 	return []SignOption{
 		s,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeSCEP, s.Name, ""),
+		newProvisionerExtensionOption(TypeSCEP, s.Name, "").WithControllerOptions(s.ctl),
 		newForceCNOption(s.ForceCN),
 		profileDefaultDuration(s.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators

authority/provisioner/sign_options.go

@@ -430,6 +430,7 @@ func (o *forceCNOption) Modify(cert *x509.Certificate, _ SignOptions) error {
 
 type provisionerExtensionOption struct {
 	Extension
+	Disabled bool
 }
 
 func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValuePairs ...string) *provisionerExtensionOption {
@@ -443,7 +444,18 @@ func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValue
 	}
 }
 
+// WithControllerOptions returns the provisionerExtensionOption options from the
+// controller. Currently only the claim DisableSmallstepExtensions is used.
+func (o *provisionerExtensionOption) WithControllerOptions(c *Controller) *provisionerExtensionOption {
+	o.Disabled = c.Claimer.IsDisableSmallstepExtensions()
+	return o
+}
+
 func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error {
+	if o.Disabled {
+		return nil
+	}
+
 	ext, err := o.ToExtension()
 	if err != nil {
 		return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")

authority/provisioner/sign_options_test.go

@@ -604,14 +604,24 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	// Claims with smallstep extensions disabled.
+	claimer, err := NewClaimer(&Claims{
+		DisableSmallstepExtensions: &trueValue,
+	}, globalProvisionerClaims)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	type test struct {
-		cert  *x509.Certificate
-		valid func(*x509.Certificate)
+		modifier *provisionerExtensionOption
+		cert     *x509.Certificate
+		valid    func(*x509.Certificate)
 	}
 	tests := map[string]func() test{
 		"ok/one-element": func() test {
 			return test{
-				cert: new(x509.Certificate),
+				modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"),
+				cert:     new(x509.Certificate),
 				valid: func(cert *x509.Certificate) {
 					if assert.Len(t, 1, cert.ExtraExtensions) {
 						ext := cert.ExtraExtensions[0]
@@ -625,7 +635,8 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
 		},
 		"ok/replace": func() test {
 			return test{
-				cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
+				modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"),
+				cert:     &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
 				valid: func(cert *x509.Certificate) {
 					if assert.Len(t, 2, cert.ExtraExtensions) {
 						ext := cert.ExtraExtensions[0]
@@ -636,11 +647,22 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
 				},
 			}
 		},
+		"ok/disabled": func() test {
+			return test{
+				modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").WithControllerOptions(&Controller{
+					Claimer: claimer,
+				}),
+				cert: new(x509.Certificate),
+				valid: func(cert *x509.Certificate) {
+					assert.Len(t, 0, cert.ExtraExtensions)
+				},
+			}
+		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tt := run()
-			assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").Modify(tt.cert, SignOptions{}))
+			assert.FatalError(t, tt.modifier.Modify(tt.cert, SignOptions{}))
 			tt.valid(tt.cert)
 		})
 	}

authority/provisioner/utils_test.go

@@ -24,22 +24,24 @@ import (
 )
 
 var (
-	defaultDisableRenewal          = false
-	defaultAllowRenewalAfterExpiry = false
-	defaultEnableSSHCA             = true
-	globalProvisionerClaims        = Claims{
-		MinTLSDur:               &Duration{5 * time.Minute},
-		MaxTLSDur:               &Duration{24 * time.Hour},
-		DefaultTLSDur:           &Duration{24 * time.Hour},
-		MinUserSSHDur:           &Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:           &Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:       &Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:           &Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:           &Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:       &Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:             &defaultEnableSSHCA,
-		DisableRenewal:          &defaultDisableRenewal,
-		AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry,
+	defaultDisableRenewal             = false
+	defaultAllowRenewalAfterExpiry    = false
+	defaultEnableSSHCA                = true
+	defaultDisableSmallstepExtensions = false
+	globalProvisionerClaims           = Claims{
+		MinTLSDur:                  &Duration{5 * time.Minute},
+		MaxTLSDur:                  &Duration{24 * time.Hour},
+		DefaultTLSDur:              &Duration{24 * time.Hour},
+		MinUserSSHDur:              &Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:              &Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:          &Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:              &Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:              &Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:          &Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:                &defaultEnableSSHCA,
+		DisableRenewal:             &defaultDisableRenewal,
+		AllowRenewalAfterExpiry:    &defaultAllowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &defaultDisableSmallstepExtensions,
 	}
 	testAudiences = Audiences{
 		Sign:      []string{"https://ca.smallstep.com/1.0/sign", "https://ca.smallstep.com/sign"},

authority/provisioner/x5c.go

@@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		self,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeX5C, p.Name, ""),
+		newProvisionerExtensionOption(TypeX5C, p.Name, "").WithControllerOptions(p.ctl),
 		profileLimitDuration{
 			p.ctl.Claimer.DefaultTLSCertDuration(),
 			x5cLeaf.NotBefore, x5cLeaf.NotAfter,

authority/provisioners.go

@@ -646,8 +646,9 @@ func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) {
 	}
 
 	pc := &provisioner.Claims{
-		DisableRenewal:          &c.DisableRenewal,
-		AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry,
+		DisableRenewal:             &c.DisableRenewal,
+		AllowRenewalAfterExpiry:    &c.AllowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &c.DisableSmallstepExtensions,
 	}
 
 	var err error
@@ -686,6 +687,7 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
 
 	disableRenewal := config.DefaultDisableRenewal
 	allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry
+	disableSmallstepExtensions := config.DefaultDisableSmallstepExtensions
 
 	if c.DisableRenewal != nil {
 		disableRenewal = *c.DisableRenewal
@@ -693,10 +695,14 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
 	if c.AllowRenewalAfterExpiry != nil {
 		allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry
 	}
+	if c.DisableSmallstepExtensions != nil {
+		disableSmallstepExtensions = *c.DisableSmallstepExtensions
+	}
 
 	lc := &linkedca.Claims{
-		DisableRenewal:          disableRenewal,
-		AllowRenewalAfterExpiry: allowRenewalAfterExpiry,
+		DisableRenewal:             disableRenewal,
+		AllowRenewalAfterExpiry:    allowRenewalAfterExpiry,
+		DisableSmallstepExtensions: disableSmallstepExtensions,
 	}
 
 	if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil {

go.mod

@@ -140,11 +140,5 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-// replace github.com/smallstep/nosql => ../nosql
-// replace go.step.sm/crypto => ../crypto
-
-// replace go.step.sm/cli-utils => ../cli-utils
-// replace go.step.sm/linkedca => ../linkedca
-
 // use github.com/smallstep/pkcs7 fork with patches applied
 replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20230302202335-4c094085c948

pki/testdata/helm/with-ssh-and-acme.yml

@@ -23,7 +23,7 @@ inject:
         authority:
           enableAdmin: false
           provisioners:
-            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
+            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
             - {"type":"ACME","name":"acme"}
             - {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
         tls:

pki/testdata/helm/with-ssh.yml

@@ -23,7 +23,7 @@ inject:
         authority:
           enableAdmin: false
           provisioners:
-            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
+            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
             - {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
         tls:
           cipherSuites: