would like clarification about "multiple issuing CAs" limitation

[rwv37]

The Limitations section in the "Introduction to step-ca" page says, in part: "It issues X.509 certificates from a single configured Intermediate CA; multiple issuing CAs are not supported"

Does this mean that other than the root and the leaves, there can only be one tier? Or that the tier immediately below the root cannot have more than one CA? Or that no tier can have more than one CA? Or some combination thereof, or something else entirely?

Whatever the limitation is, is it perhaps possible to work around it in some way? For example, perhaps you can get two CAs directly on the tier below root by setting up two different contexts, both using the same root? Or perhaps you can get two intermediate tiers by setting up a second context that uses the sub-root as its... uh... pseudo-root, thus having the sub-root's intermediate "really" be a sub-sub-root CA?

Thanks.

[tashian]

Good question!

What this limitation means is that every certificate issued by a single step-ca server will have the same issuing CA certificate.
Furthermore, step-ca cannot issue certificates directly from a root CA, it must be an intermediate.
Multiple tiers of intermediates are supported.

If you need several issuing authorities in your PKI, you'll have to run a separate step-ca for each issuing authority.
There is no workaround that would allow for a single step-ca to issue certificates from multiple authorities.

I hope this helps.

[rwv37]

Thanks. I have a couple followup questions based on your reply, if you don't mind:

(1) When you say "Multiple tiers of intermediates are supported": Could you please point me to some info on how to do so? I have been hoping to do this, but I have yet to see anything in the docs that (to me) clearly indicates how (or even if possible).

(2) When you say "a separate step-ca" and "a single step-ca": I'm not sure if I'm understanding "contexts" correctly, but till now I was imagining that they're supported both on the step-cli end and on the step-ca end. Are they only step-cli? So a single running instance of step-ca cannot have two or more separate contexts that it uses?

Thanks again.

[tashian]

For 1) By "multiple tiers" I mean that in addition to this:

Root -> Intermediate -> (Leaf issued by step-ca)
(This is the default ("2-tier") PKI that's created when you run step ca init.)

You could set step-ca up to do this:

Root -> Intermediate -> Intermediate -> (Leaf issued by step-ca)

or even this:

Root -> Intermediate -> Intermediate -> Intermediate -> (Leaf issued by step-ca)

To configure this, you'll need to set the crt value in ca.json to a file that contains all of your intermediates. According to our Configuration docs, the final issuing intermediate needs to be the first PEM block in the file.

The step ca init command will only create a simple 2-tier PKI.
So, if you want this more complex setup, you will need to create all your CAs separately, and update the ca.json manually to use your custom PKI.

For 2) that's correct, a single step-ca can only run with a single context.

[rwv37]

Thanks again! The support for multiple tiers will go a long ways towards what I was hoping for.

[tashian]

@rwv37 I was mistaken about which config value should contain the intermediates. So, I've edited my comment above.

You can supply multiple roots in the root value, but that's intended for root distribution and root rotation. The root file(s) should not contain any intermediates, only roots.

The crt value is where you can supply multiple intermediates (see my edited answer above).