Admins (or Administrators) in step-ca are users who are able to modify step-ca configuration. An Admin is the combination of a name (or subject) and a provisioner that grants a credential for that name. For example:
SUBJECT PROVISIONER TYPE
max@smallstep.com sandbox (JWK) SUPER_ADMIN
mariano@smallstep.com sandbox (JWK) ADMIN
There are two admins in this list - max@smallstep.com and mariano@smallstep.com. Both admins must have a credential from the same provisioner (sandbox) to prove their identity.
The required credential is a X.509 Certificate with provisioner OID extension specifying the provisioner used to authenticate and issue the certificate.
Currently, there are two administrator roles - SUPER_ADMIN and ADMIN. The SUPER_ADMIN role is reserved for admins who are able to add / delete / update other admins. The regular ADMIN role can update any aspect of step-ca configuration, excluding admins.
Below we'll give examples for a handful of common admin workflows.
Get an admin certificate
By default, commands that require an admin certificate will try to interactively create an admin cert / key pair in memory when such a command is executed, if an admin cert / key pair is not specified. Users will be prompted for the admin subject and the provisioner for which to generate the credential. To bypass the prompt, users can do one of the following:
- Use the
--admin-subjectand--admin-provisionerflags with the command. - Use the
STEP_ADMIN_SUBJECTandSTEP_ADMIN_PROVISIONERvariables, either with the command or in the environment. - Set
admin_subjectandadmin_provisionervalues in the$(step path)/config/defaults.json.
Alternatively, admin users can store an admin cert / key pair to disk and pass these files as flags, environment variables, or defaults to any admin level command.
All admin level workflows (which currently include the subcommands step beta ca admin <...> and step beta ca provisioner <...>) accept optional --admin-cert and --admin-key flags OR users can set STEP_ADMIN_CERT and STEP_ADMIN_KEY environment variables OR set admin_cert and admin_key in the $(step path)/config/defaults.json file.
Static admin cert / key pairs can be generated by running step ca certificate <subject> --provisioner <provisioner-name> where subject is the admin name and provisioner-name is the associated provisioner's name. e.g. step ca certificate max@smallstep.com --provisioner sandbox max.crt max.key.
List all admins
step beta ca admin list
Add an admin
# Add a SUPER_ADMIN
step beta ca admin add max@smallstep.com sandbox --super
# Add a regular ADMIN
step beta ca admin add max@smallstep.com sandbox
Update an admin
NOTE: the subject (or name) and provisioner of an admin cannot be changed. Only the admin type (ADMIN or SUPER_ADMIN) can be changed.
# Add SUPER_ADMIN privileges
step beta ca admin update max@smallstep.com --super
# Remove SUPER_ADMIN privileges
step beta ca admin update max@smallstep.com --super=false
Remove an admin
NOTE: the last admin with SUPER_ADMIN privileges can never be removed.