You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In this scenario, we'll create our PKI entirely offline, with the step command. We can always use the resulting credentials to establish an online CA later—however, step-ca does not currently support sending certificate bundles of more than two certificates to clients, so you'd need to do some extra work to support this in your setup.
This was written almost a year ago, so my first question is: Is it still true that step-ca doesn't support this?
Assuming that it's still true that step-ca doesn't support this, could I please get a little elaboration on the practical consequences, and what "extra work to support this" might entail?
So, for example, if I were to set up the PKI this way, does that mean step-ca would essentially be completely useless for it, and I would have to use some other (non-step-ca) server to provide all the services that step-ca otherwise would? Or perhaps some specific functionality (which?) wouldn't work, like "You won't be able to use step bootstrap" or "ACME won't work"?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
In the "Example: Intermediate CA Chain" section of "Announcing X.509 Certificate Flexibility, there's a bit saying (emphasis mine):
This was written almost a year ago, so my first question is: Is it still true that step-ca doesn't support this?
Assuming that it's still true that step-ca doesn't support this, could I please get a little elaboration on the practical consequences, and what "extra work to support this" might entail?
So, for example, if I were to set up the PKI this way, does that mean step-ca would essentially be completely useless for it, and I would have to use some other (non-step-ca) server to provide all the services that step-ca otherwise would? Or perhaps some specific functionality (which?) wouldn't work, like "You won't be able to use step bootstrap" or "ACME won't work"?
Thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions