Allow `step ca certificate` to read token from a file

[Alxandr]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I'm creating some automation tooling that programatically calls step ca token and step ca certificate, and it turns out that it's much easier to have things written to disk, and not have to deal with STDOUT/STDIN in this particular case. step ca token already has a --output-file parameter. I suggest step ca certificate gets a matching --token-file parameter.

Why is this needed?

It would just simplify some tooling, and make more of the commands similar to eachother.

[hslatman]

Have you tried step ca certificate with the --password-file or --provisioner-password-file flag? In the usual setup the encrypted JWK is retrieved from the CA, and the password (file) is used to decrypt it, and create a new token in that single flow. Or does your use case require step ca token to be performed on its own? In that case, --token $(cat token-file) might work? I can see --token-file making sense, but it would be yet another way to provide the token, and, as the token is considered confidential and single use (generally), would be best to clean up.

[Alxandr]

I have not. I'm sort of just stumbeling my way into things that work here :P. The error message lead me to pass a --token, so that's the reason I went that way. I didn't know I could combine both into just a step ca certificate call, so that's probably the correct solution.

I would still argue that it makes sense to allow the certificate command to accept the token from a file (given how file-heavy all the other commands are), but it's much less important for me.