Creating a full RSA chain for a legacy application

[tobi-coder]

Due to legacy applications I need a full RSA chain (root->intermediate->leaf signed with RSA). Therefore I initialized a step ca with an RSA root and intermediate certificate. If I try to sign a certificate with:

& 'C:\Program Files\step_0.15.14\bin\step.exe' ca certificate "t01.ch" "t01.crt" "t01.key" --kty RSA --size 4096

I always get a leaf certificate signed with sha256ECDSA (see below). Where is my mistake?

-----BEGIN CERTIFICATE-----
MIID4jCCA4igAwIBAgIRAK5Ni6jNg/w7C2GiUz/TaekwCgYIKoZIzj0EAwIwNjER
MA8GA1UEChMISGVuekhvbWUxITAfBgNVBAMTGEhlbnpIb21lIEludGVybWVkaWF0
ZSBDQTAeFw0yMTA1MTYxNjE1MDZaFw0yMTA4MTQxNjE2MDZaMBExDzANBgNVBAMT
BnQwMS5jaDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMSaT/eUBF/s
GIVlbPaDgYuf31wBPAiVjme5OyYT/OxjLNWvj6hyv9O7bUMA3ultdw3qZiXEfBsP
saZvfM+gdeRO1VbZptR+VFt+sAU2b91hEiYIAsnASkSo2hrpkPq4G2OuwyCb6MSW
I+Kbq/YxP9Wf+Mu8K5KYIG9Li5yi/t7kOZq+XlOI469Um0yjsLQOKe1wfAkN4wJe
70uyP7YstkV4p3HA0YMppDySE219AfCl2G5LDo0bnRqm0fzwhANAtmDCFlTcvO9Y
pCfB0Ehy9sK+txIIkaJ6bB2PGodEG9kHa/jXjaaMMpkU7aWQmhSd5apQzXkZZ7JN
eviHC8I59SUzslp+9DYhzsIXlRiOMzVxS16URdZjeCqk3CAgHIwKubDdzGI99yrw
oj268QIspKrIGURXpqmOlZl2yP9t3h5JBw7fW2sfCPV/BmuA4lZV0IIa1siZyjcm
zKYs6Zz5JeGpGh1xtDTAy/Z1vbkB13TycVSms+c47sGBvlW8BT+u8Y8nh1ONCwrI
z1ZYNW5Rjk/28qGwyLQfRBwBdzzRWYzXpZGqDVCqjdivV9DbjZnjbyiqTWQ18uOs
NFs4kGS93h92WHRx5NpZRv+rE6as2K6MlIxpfbSfRtz+20a+U4WfBaDm/pQmslqz
y0fkBUiKVaSAzxg5J2EgjP9smku42HNDAgMBAAGjgdAwgc0wDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSbrK
mNEXNqyEGlqx6Id/Z9ZvCLYwHwYDVR0jBBgwFoAUOpCz4usswM+hcoH29H5+D6IA
fbAwEQYDVR0RBAowCIIGdDAxLmNoMEkGDCsGAQQBgqRkxihAAQQ5MDcCAQEEBWFk
bWluBCtwV1djdll5a0czNDVJOHJyS2xDM1p1MW1wZ1pySW5sd000cDBnMmVRZmJF
MAoGCCqGSM49BAMCA0gAMEUCIArBvUFWVBeSKI8m8UndQQ+IPkZsTiQ+AaWk4rQo
HzEsAiEA3J8eCA5iB+J7bp5ESOCeW1zs8KV6wi+gRJqih6zNVmI=
-----END CERTIFICATE-----

[maraino]

Hi @tobi-coder, can you check that your intermediate is actually an RSA key, I think it's using a ECDSA P-256 key.

You can check the algorithm inspecting the intermediate one, the issuer, for example:

$ step certificate inspect --short $(step path)/certs/intermediate_ca.crt
X.509v3 Intermediate CA Certificate (RSA 4096) [Serial: 2415...1643]
  Subject:     My Intermediate CA
  Issuer:      My Root CA
  Valid from:  2021-05-18T00:57:48Z
          to:  2031-05-16T00:57:48Z```

As you know, step ca init does not supports the --kty parameters, so the full process to initialize the PKI is a little bit more complex, here it is for your reference:

$ step ca init
...
$ step certificate create --profile root-ca --kty RSA --size 4096 \
  'My Root CA' $(step path)/certs/root_ca.crt $(step path)/secrets/root_ca_key
$ step certificate create --profile intermediate-ca --kty RSA --size 4096 \
   --ca $(step path)/certs/root_ca.crt --ca-key $(step path)/secrets/root_ca_key 
  'My Intermediate CA' $(step path)/certs/intermediate_ca.crt $(step path)/secrets/intermediate_ca_key

And then just:

$ step ca certificate --kty RSA --size 4096 foo.internal foo.crt foo.key
$ step certificate inspect --format json foo.crt | jq .signature.signature_algorithm.name
"SHA256-RSA"

[tobi-coder]

It worked. What I initally did is creating a RSA root certificate first and the specify this as root during ca init.

step ca init --root=root-ca-rsa.crt --key=root-ca-rsa.key

I thought this is also possible.

[maraino]

@tobi-coder: with that command we still use ECDSA for our intermediate, perhaps we might want to change the code so it uses the same crypto used in the root.

[tobi-coder]

What's the idea behind that? Usually if I nesed an RSA root that's because certificate consumers doesn't already support ECDSA. So I need a full RSA chain. I don't see a reason for a mixed algorithm chain (which doen't mean there is one).

[greg-mcnamara]

Sorry @maraino this is an old discussion, but I'm running step ca in a docker container, and I tried creating the new RSA chain root and intermediate certs as per your instructions (using bash via docker exec), but when I restart the container it fails to start with an error:

error decrypting /home/step/secrets/intermediate_ca_key: x509: decryption password incorrect 

It seems that the configuration is getting out of sync with the new certs. Any ideas on how to resolve?

[tashian]

Hi @greg-mcnamara, step-ca needs to decrypt the intermediate CA key on startup. So, you'll need to be sure that the file /home/step/secrets/password (in the container) contains the intermediate CA password.