A way to fetch the intermediate certificate

[CMCDragonkai]

What would you like to be added

The step root command gets the root certificate. But what if you want the intermediate certificate? What if you want the entire chain. I would like a command that could fetch the whole path or some part of the path.

Why this is needed

When code signing, the signature requires the path to the intermediate certificate. I'm using openssl cms command to do this atm:

#!/usr/bin/env sh

artifact="$1"
signature="$2"

openssl cms \
  -sign -binary -noattr \
  -in "$artifact" \
  -signer "$CODE_SIGNING_CERT" \
  -inkey "$CODE_SIGNING_KEY" \
  -certfile "$ROOT_TLS_CERT" \
  -outform DER \
  -out "$signature"

And then I realized that the above command requires the intermediate cert too, but it's not available.

[maraino]

@dopey @CMCDragonkai step certificate inspect --bundle <url> returns the server and intermediate certificate for a URL, an option to solve this can be to add a --raw command to get the actual PEM.

[CMCDragonkai]

But I want the intermediate cert of the step ca server not of some website.

…

On 3 February 2020 12:11:48 GMT+11:00, Mariano Cano ***@***.***> wrote: @dopey @CMCDragonkai `step certificate inspect --bundle <url>` returns the server and intermediate certificate for a URL, an option to solve this can be to add a --raw command to get the actual PEM. -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #207 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[mmalone]

When you request a certificate from step-ca we actually send you a "bundle" that includes the intermediate certificate along with your new leaf certificate. This is what you want 99% of the time for TLS. So if you're getting a cert from step-ca you can pull the intermediate out of that bundle. The openssl cms command might even accept a bundle and do the right thing without specifying the intermediate separately.

That said, it does seem like we could provide a step ca intermediate command to fetch the current intermediate. I also noticed that the step certificate inspect command doesn't have an option to dump PEM. That could be a nice addition, as you could fetch the intermediate by running step certificate inspect against the step-ca and parsing the intermediate out of the PEM bundle (e.g., step certificate inspect --bundle --format pem https://<ca-url>). I created a new issue (#214) to discuss this addition.

[mmalone]

Relatedly, I think the /root/{sha} endpoint on step-ca actually returns the intermediate(s) in a separate attribute now. So you might be able to simply curl that endpoint and pipe it through jq to get the intermediate from the CA, as a workaround. @maraino is that correct?

[CMCDragonkai]

There are plenty of workarounds, but this feature request is just about adding that command to the step CLI so it can be as easy to fetch the intermediate certificate.

[ki-pete]

Is there a opportunity to add a second intermediate certificate to the bundle which is send if a certificate is requested?

My current workaround is to use /root and add the second intermediate certificate as second certificate to the array.

[dopey]

Hey @ki-pete! I think you're asking about something more akin to smallstep/certificates#244. Is that right?

If that's the case please +1 or comment on that issue (community support helps us with roadmap / prioritization). If I've misunderstood, please explain the use case in a bit more detail - maybe we need a new issue / ticket for it.

[ki-pete]

Hi @dopey,
thanks a lot. That is what I'm looking for.

[lriley2020]

+1 was just googling to see if this command existed - would definitely love to see it implemented!