weixin_39690401
weixin_39690401
2020-11-28 06:46

How to set validity period for root ca

HI,

I'm playing with step-ca and I wonder how can I do to set validity period for a new root ca. After step ca init and step ca root ca.crt cmd the validity period is 10 years for ca.crt

Thanks

该提问来源于开源项目:smallstep/cli

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

6条回答

  • weixin_39816260 weixin_39816260 5月前

    Hi to set a validity period for a root or an intermediate CA you need to create the certificates manually. Just use the following commands and replace them with the ones created by step ca init:

    
    # Root
    step certificate create --profile root-ca --not-after 8760h "My Root CA" root_ca.crt root_ca_key
    
    # Intermediate, signed by the above root
    step certificate create --profile intermediate-ca --not-after "2021-09-18T17:00:47Z" --ca root_ca.crt --ca-key root_ca_key "My Intermediate CA" intermediate_ca.crt intermediate_ca_key
    

    In the second command, I've set the date manually, so it matches the one in the root, you can use a "duration" or an RFC3339 date for the --not-after flag.

    点赞 评论 复制链接分享
  • weixin_39816260 weixin_39816260 5月前

    I'm going to close the issue, as you should be able to solve it with the commands above. Feel free to re-open the issue if you find any problem.

    点赞 评论 复制链接分享
  • weixin_39690401 weixin_39690401 5月前

    Hi , Thanks for the tips. When I replace default cert created by step ca init, I got an error when I tried to query the root certificat with step ca root ca.crt.

    error="/root/fab322f9089df3b4e0026a649b194afdccc2df2f591b 6fd37dab4add648070bb was not found: certificate with fingerprint fab322f9089df3b4e0026a649b194afdccc2df2f591b6fd37dab4add648070bb was not found" fields.time="2020-09-21T07:40:57Z" m ethod=GET name=ca path=/root/fab322f9089df3b4e0026a649b194afdccc2df2f591b6fd37dab4add648070bb protocol=HTTP/1.1 referer= remote-address=127.0.0.1 request-id=btk5i2ddos8o68oo1rug siz e=127 status=404 user-agent="Smallstep CLI/0.15.2 (linux/amd64)"

    How can I set up the newly created cert as the default one? Thanks

    点赞 评论 复制链接分享
  • weixin_39816260 weixin_39816260 5月前

    are you using the fingerprint for your new root_ca.crt?

    sh
    step certificate fingerprint root_ca.crt
    

    where root_ca.crt is the one as "root" in the ca.json, and of course the one you created with step certificate create

    点赞 评论 复制链接分享
  • weixin_39816260 weixin_39816260 5月前

    The old fingerprint is probably in ~/.step/config/defaults.json and you should set the new one.

    点赞 评论 复制链接分享
  • weixin_39690401 weixin_39690401 5月前

    I solved the problem by updating fingerpint attribut in file ~/.step/config/defaults.json with result of cmd step certificate fingerprint root_ca.crt

    Thanks for your help

    点赞 评论 复制链接分享

相关推荐