Admins (or Administrators) in
step-ca are users who are able to modify
step-ca configuration. An Admin is the combination of a name (or subject) and a provisioner that grants a credential for that name. For example:
SUBJECT PROVISIONER TYPE email@example.com sandbox (JWK) SUPER_ADMIN firstname.lastname@example.org sandbox (JWK) ADMIN
There are two admins in this list -
email@example.com. Both admins must have a credential from the same provisioner (
sandbox) to prove their identity. The required credential is a X.509 Certificate with provisioner OID extension specifying the provisioner used to authenticate and issue the certificate.
Currently, there are two administrator roles -
SUPER_ADMIN role is reserved for admins who are able to add / delete / update other admins. The regular
ADMIN role can update any aspect of
step-ca configuration, excluding admins.
Below we'll give examples for a handful of common
Get an admin certificate
By default, commands that require an admin certificate will try to interactively create an admin cert / key pair in memory when such a command is executed, if an admin cert / key pair is not specified. Users will be prompted for the admin subject and the provisioner for which to generate the credential. To bypass the prompt, users can do one of the following:
- Use the
--admin-provisionerflags with the command.
- Use the
STEP_ADMIN_PROVISIONERvariables, either with the command or in the environment.
admin_provisionervalues in the
Alternatively, admin users can store an admin cert / key pair to disk and pass these files as flags, environment variables, or defaults to any admin level command.
All admin level workflows (which currently include the subcommands
step beta ca admin <...> and
step beta ca provisioner <...>) accept optional
--admin-key flags OR users can set
STEP_ADMIN_KEY environment variables OR set
admin_key in the
$(step path)/config/defaults.json file.
Static admin cert / key pairs can be generated by running
step ca certificate <subject> --provisioner <provisioner-name> where
subject is the admin name and
provisioner-name is the associated provisioner's name. e.g.
step ca certificate firstname.lastname@example.org --provisioner sandbox max.crt max.key.
List all admins
step beta ca admin list
Add an admin
# Add a SUPER_ADMIN step beta ca admin add email@example.com sandbox --super # Add a regular ADMIN step beta ca admin add firstname.lastname@example.org sandbox
Update an admin
NOTE: the subject (or name) and provisioner of an admin cannot be changed. Only the admin type (
SUPER_ADMIN) can be changed.
# Add SUPER_ADMIN privileges step beta ca admin update email@example.com --super # Remove SUPER_ADMIN privileges step beta ca admin update firstname.lastname@example.org --super=false
Remove an admin
NOTE: the last admin with
SUPER_ADMIN privileges can never be removed.
step beta ca admin remove email@example.com