How do I change the default, minimum, and maximum certificate lifetimes? :

Provisioners authenticate certificate requests. Certificate lifetimes, access control policies, renewal, templates, and many other options are configurable per-provisioner.

By setting claims on a provisioner, you can control minimum, maximum, and default certificate lifetimes. Let's take a look at the provisioner claims on the authority-admin provisioner that's automatically created with your Authority.

Claims are enabled with a maximum duration of 8784 hours or 366 days. A default duration is not set, so it uses the authority default value of 24 hours.

step beta ca provisioner get authority-admin

No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com):
✔ Provisioner: authority-admin (OIDC) 
Your default web browser has been opened to visit:
<https://auth.smallstep.com/oidc/>

{
  "id": "2e8b84fa-5af6-4635-a3c2-f852f8011834",
  "authorityId": "f09f83fd-7e58-418d-9a30-ef4885336873",
  "type": "OIDC",
  "name": "authority-admin",
  "details": {
    "OIDC": {
      "clientId": "380d0a5a-7263-4e4365",
      "clientSecret": "fab9df242449bf96",
      "configurationEndpoint": "<https://auth.smallstep.com/oidc/beta/.well-known/openid-configuration>",
      "admins": [
        "TeamAdmins@yourco.com"
      ],
      "listenAddress": "127.0.0.1:10000"
    }
  },
  "claims": {
    "x509": {
      "enabled": true,
      "durations": {
        "max": "8784h0m0s"
      }
  }
}

Here, we'll update the claims on the provisioner to produce a 7-day (168h) default certificate. We will also set the minimum lifetime to 5 minutes and the maximum lifetime to 500 days (12000h):

step beta ca provisioner update authority-admin \\
 --x509-default-dur=168h --x509-min-dur=5m --x509-max-dur=12000h \\
 ...

},
  "claims": {
    "x509": {
      "enabled": true,
      "durations": {
        "default": "168h",
        "min": "5m",
        "max": "12000h"
      }
    }
  }
},

Issue and inspect a certificate to test the new 7-day default expiry:

step ca certificate newdefault newdefault.crt newdefault.key

✔ Provisioner: authority-admin (OIDC)
✔ CA: <https://production.yourco.ca.smallstep.com>
✔ Certificate: newdefault.crt
✔ Private Key: newdefault.key

step certificate inspect newdefault.crt --shortX.509v3 TLS Certificate (ECDSA P-256) [Serial: 2046...1094]

  Subject:     newdefault
  Issuer:      Production Intermediate CA
  Provisioner: authority-admin [ID: 380d...c5c0]
  Valid from:  2021-10-29T00:18:43Z
          to:  2021-11-05T00:19:43Z

PLEASE NOTE: The claims section on ANY Provisioner can be defined or modified with certificate minimum and maximum lifetimes and default certificate expiry. A single Authority can support many provisioners that unlock various automated workflows. Click to learn more about provisioners and claims.

How do I change the default, minimum, and maximum certificate lifetimes? Print

Related Articles