Skip to content

Make use of the templating system when creating a csr #1415

New issue
New issue
Closed
#1431
smallstep/crypto
#767
Closed
Make use of the templating system when creating a csr#1415
#1431
smallstep/crypto
#767
Assignees
maraino
Labels
enhancementneeds triageWaiting for discussion / prioritization by team
@PreterPant

Description

@PreterPant
PreterPant
opened on Apr 23, 2025

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I ran into issues with step-ca under an ADCS (Active Directory Certificate Services) root, which I tracked down to the fact that the intermediate key I had signed for step-ca did not contain the KeyUsage extension.

This is due to a combination of

  • step certificate create not encoding the KeyUsage in the CSR
  • ADCS being configured in a recommended way which takes the KeyUsage from the CSR

Therefore I suggest to extend step certificate create such that it can encode Requested Extensions into a CSR through the templating system, using the parameters --profile=<profile> as well as --template=<file>.

Why is this needed?

Since many companies (still) run their roots on ADCS and the configuration is pretty common to meet the Common PKI profile, I think it is worth to at least encode the key usages when creating a CSR for the intermediate. To have better feature parity with openssl, I would suggest expanding the templating to the whole CSR creation.

Workarounds

I see two ways to work around this at this point.

Using openssl

One can use openssl to create a CSR with the Requested Extensions like so.

subca_extensions.cnf

[req]
distinguished_name=req_distinguished_name
req_extensions = v3_subca

[req_distinguished_name]
[ v3_subca ]
keyUsage = critical, cRLSign, keyCertSign
basicConstraints = critical,CA:true,pathlen:0

openssl req -new --newkey rsa:4096 -keyout subca.key -out intermediate_ca.csr -subj "/CN=Test" -config subca_extensions.cnf
# Step CA uses a different format for their private key, so just in case, convert the generated key to that
openssl pkey -in subca.key -out intermediate_ca_key -aes-256-cbc -traditional

Manually editing the request in ADCS

For this to work, ADCS must be configured to mark new requests as pending. This should be the default for a root CA. Then after submitting the CSR with certreq, one can use certutil -setextension to add the KeyUsage extension to the request.

certreq.exe -config - -submit -attrib "CertificateTemplate:SubCA" intermediate.csr

REM note down the RequestId given by certreq

certutil.exe -setextension <RequestId> 2.5.29.15 1 50462982
certutil.exe -resubmit <RequestId>
certreq.exe -config - -f -retrieve <RequestId> intermediate.crt

Where 50462982 should be the long representation of the KeyUsage KeyCertSign + cRLSign.

Metadata

Metadata

Assignees

Labels

enhancementneeds triageWaiting for discussion / prioritization by team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions