Admins (or Administrators) in step-ca are users who are able to modify step-ca configuration. An Admin is the combination of a name (or subject) and a provisioner that grants a credential for that name. For example:

SUBJECT                   PROVISIONER        TYPE      sandbox (JWK)      SUPER_ADMIN  sandbox (JWK)    ADMIN

There are two admins in this list - and Both admins must have a credential from the same provisioner (sandbox) to prove their identity. The required credential is a X.509 Certificate with provisioner OID extension specifying the provisioner used to authenticate and issue the certificate.

Currently, there are two administrator roles - SUPER_ADMIN and ADMIN. The SUPER_ADMIN role is reserved for admins who are able to add / delete / update other admins. The regular ADMIN role can update any aspect of step-ca configuration, excluding admins.

Below we'll give examples for a handful of common admin workflows.

Get an admin certificate

By default, commands that require an admin certificate will try to interactively create an admin cert / key pair in memory when such a command is executed, if an admin cert / key pair is not specified. Users will be prompted for the admin subject and the provisioner for which to generate the credential. To bypass the prompt, users can do one of the following:

  • Use the --admin-subject and --admin-provisioner flags with the command.
  • Use the STEP_ADMIN_SUBJECT and STEP_ADMIN_PROVISIONER variables, either with the command or in the environment.
  • Set admin_subject and admin_provisioner values in the $(step path)/config/defaults.json.

Alternatively, admin users can store an admin cert / key pair to disk and pass these files as flags, environment variables, or defaults to any admin level command.

All admin level workflows (which currently include the subcommands step beta ca admin <...> and step beta ca provisioner <...>) accept optional --admin-cert and --admin-key flags OR users can set STEP_ADMIN_CERT and STEP_ADMIN_KEY environment variables OR set admin_cert and admin_key in the $(step path)/config/defaults.json file.

Static admin cert / key pairs can be generated by running step ca certificate <subject> --provisioner <provisioner-name> where subject is the admin name and provisioner-name is the associated provisioner's name. e.g. step ca certificate --provisioner sandbox max.crt max.key.

List all admins

step beta ca admin list

Add an admin

step beta ca admin add sandbox --super

# Add a regular ADMIN
step beta ca admin add sandbox

Update an admin

NOTE: the subject (or name) and provisioner of an admin cannot be changed. Only the admin type (ADMIN or SUPER_ADMIN) can be changed.

# Add SUPER_ADMIN privileges
step beta ca admin update --super

# Remove SUPER_ADMIN privileges
step beta ca admin update --super=false

Remove an admin

NOTE: the last admin with SUPER_ADMIN privileges can never be removed.

step beta ca admin remove