[Docs]: when request a certificate use "step ca certificate" with --kms #2312
Description
Hello!
I am use the step-ca with TPM2.0, and now need to sign a certificate used for nginx 1.28, and I find the PKCS11 can works well with Nginx, and the same time I can use "step certificate create" to use the private key created by the "step kms create" in TPM2.0. But when I want to associated with "step ca certificate" and "step ca renew", it cannot work well.
I used the following command to create a certificate with the private key in TPM2.0, but there generated a new file "pkcs11:id=10000000;object=obcuca" which shows a new private key.
step ca certificate 10.72.1.101 /etc/nginx/conf.d/certs/nginx-0620.crt 'pkcs11:id=10000000;object=obcuca' --token omited --ca-url=https://192.168.51.101:6000 --root=/etc/nginx/conf.d/certs/root_ca.crt --kms='pkcs11:module-path=/usr/local/lib/libtpm2_pkcs11.so;token=mykey?pin-value=Obcu@ca' --tpm-storage-directory /opt/tbds/tpm2_store/ca
and it can not work well with "step ca renew" as well, even I try to renew a certificate which created by "step certificate create" with TPM2.0, it shows a error "
error validating renew token
error renewing certificate
"
But I try to read the help document, there can not resolve my problem. Is there any way to perform my requirement?
For simplify, I just want to create a leaf certificate which used the private key in TPM2.0, and can normally renewed the certificate with "step ca renew".
- Vote on this issue by adding a 👍 reaction
- If you want to document this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Affected area/feature
"step ca certificate create" and "step ca renew" work with TPM2.0 via PKCS11.