πŸ”‘ ProvisionersΒΆ

See also

Please check out the official documentation to learn more about configuring step-ca provisioners.

Initial provisionersΒΆ

When the CA is initialised the first time, two provisioners will be created:

Provisioner

Usage

Default duration

Max duration

server-jwk

Server certificates

1095 days (3 years)

3650 days (10 years)

client-jwk

Client certificates

24 hours (1 day)

365 days (1 year)

Hint

The JWK provisioners use different templates.

Additional provisionersΒΆ

Additional provisioners can be created via the step ca provisioner add CLI command in the ca container.

Example CLI command inside the ca container
# Create random password.
openssl rand -base64 32 >passwords/{name}

# Create new provisioner for client certificates.
step ca provisioner add {name} \
    --type=JWK \
    --create --password-file=passwords/{name} \
    --x509-max-dur={duration} \
    --x509-default-dur={duration} \
    --x509-template={template}
Example CLI command on the Docker host via docker exec
# Create random password.
docker exec ca sh -c 'openssl rand -base64 32 >passwords/{name}'

# Create new provisioner for client certificates.
docker exec ca step ca provisioner add {name} \
    --type=JWK \
    --create --password-file=passwords/{name} \
    --x509-max-dur={duration} \
    --x509-default-dur={duration} \
    --x509-template={template}

Tip

  • The provisioner name should be alphanumeric

  • The duration should use the minutes (e.g. 15m), or hours (e.g. 24h) format

  • The template can be retrieved from Templates

TemplatesΒΆ

The Docker image provides 2 templates:

  • /templates/serverAuth.tpl: Used for server certificates

  • /templates/clientAuth.tpl: Used for client certificates