Sign CSR with specific template

[Moxified]

I can see in the documentation how to request a new certificate using a specific template but I need to sign a VMware VMCA CSR as a subordinate for my VMware lab and step ca sign doesn't allow for template choice as far as I can tell.

I'm sure there is some obvious answer I'm missing. In a Windows PKI, I would create the CSR and chose the CA template to issue a subordinate CA from certsrv.

I successfully created an issuing cert using step sign --template but VMCA didn't like the cert.

[tashian]

Hi @Moxified, within the context of an online CA, templates are configured at the level of the provisioner.
So, instead of running step ca sign --template you'd just configure the provisioner with a template config block, and then run a regular step ca sign (potentially using the --set or --set-file flags) against that provisioner.

Does this help?

[maraino]

And if you just need to create a CSR to be signed by a different CA, you can do it with step certificate create --csr, it supports the --template option.

[Moxified]

I see you can set the template in a provisioner but it looks like you should be able to define the template json with the --set-file for ca sign:

--set-file=file The JSON file with the template data to send to the CA.

I tried:

step ca sign vmca.csr vmca.crt --set-file ~/.step/templates/intermediate.tpl --not-after=87600h

But it errors which is odd because I used that template previously to create an online CA cert succesfully.

error unmarshaling /home/user/.step/templates/intermediate.tpl: invalid character '{' looking for beginning of object key string

{
    "subject": {{ toJson .Subject }},
    "keyUsage": ["certSign", "crlSign"],
    "basicConstraints": {
        "isCA": true,
        "maxPathLen": 0
    }
}

[Moxified]

Gotcha. I was able to create a new provisioner and sign my csr as a new online issuer which is great.

One last irritant I can't figure out. Is there a way in the provisioner/claims to tell it to sign against the root and not the intermediate created during ca init?

Thanks!

[tashian]

Ahh. Unfortunately, step-ca currently can only sign with its intermediate, not its root.

[Moxified]

Bummer. Oh well. It will work for my lab needs. Thanks so much for your help!

[logopk]

Gotcha. I was able to create a new provisioner and sign my csr as a new online issuer which is great.

One last irritant I can't figure out. Is there a way in the provisioner/claims to tell it to sign against the root and not the intermediate created during ca init?

Thanks!

mind to share the json file that you passed to get the values into the cert. Stuck in the same spot...

[Moxified]

Sorry, I moved to a different solution. I deleted all of the vms.