X5C upstream CA seems to ignores RA provisioner x509 templates

[lucacastelnuovo]

I have a two-tier step-ca setup: a Registration Authority (RA) that authenticates to an upstream Intermediate CA via an X5C provisioner. The RA hosts all provisioners (ACME, OIDC, etc.) with custom x509 templates. The intermediate CA only has the single X5C provisioner with no custom template.

The x509 templates configured on the RA's provisioners are not reflected in the issued certificates. The intermediate CA appears to apply its own default template instead of honouring the RA's templated output.

Is this expected behaviour? Should the upstream X5C provisioner have its own template that passes through the RA's templated fields, or is there a way to make the intermediate CA honour the RA's template output?

CA provsioners

{
  "provisioners": [
    {
      "type": "X5C",
      "name": "prc-pki-ra-1",
      "roots": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNIRENDQWFLZ0F3SUJBZ0lRVEhpczhHNHNzZU1RL1FUR3FOVlFSakFLQmdncWhrak9QUVFEQXpCWU1Rc3cKQ1FZRFZRUUdFd0pPVERFWE1CVUdBMVVFQ2hNT1VISnZZM1ZzWVdseUlFSXVWaTR4TURBdUJnTlZCQU1USjFCeQpiMk4xYkdGcGNpQkNMbFl1SUZKbFoybHpkSEpoZEdsdmJpQkJkWFJvYjNKcGRIa2dNVEFlRncweU5qQTBNVE15Ck1ERXpNekZhRncweU56QTBNVE15TURFek16RmFNRmd4Q3pBSkJnTlZCQVlUQWs1TU1SY3dGUVlEVlFRS0V3NVEKY205amRXeGhhWElnUWk1V0xqRXdNQzRHQTFVRUF4TW5VSEp2WTNWc1lXbHlJRUl1Vmk0Z1VtVm5hWE4wY21GMAphVzl1SUVGMWRHaHZjbWwwZVNBeE1IWXdFQVlIS29aSXpqMENBUVlGSzRFRUFDSURZZ0FFUDM1SDlabTdhTmJ1CkFETzF0ZzRubmFUdHhxRGhrZDFzMUNmL1kwTFlvaFpCa2dIWG9HME9MSkF3ZWVOWUZsT1Y1cEcwd1h3MmdHTzkKZE5RTGQ2UEVBSllqRmVoVlpqd1IrcGczS3k0dWRCYkkxTldqckpUNXdGTWd6M3h4VmxId296RXdMekFPQmdOVgpIUThCQWY4RUJBTUNCNEF3SFFZRFZSME9CQllFRkZmUFAwNzk5RWZRSFNuSTJBNWxEU0RETTlOV01Bb0dDQ3FHClNNNDlCQU1EQTJnQU1HVUNNQTBaNVdqZDRaZ3pxZ29FUWhSUm85V1RZWVNid0FlbGh3ZGdCeFVCci9FS1VuWEQKUzhSOTIyMVpSNmpteTdmc01nSXhBTjdBNUZSUkh2Q0Nma3hTaWhpNUZ4MHl3LzZaVEwvQitOM1lJckh6SmhVQwpRMEdyVkFoWkRVWFlnWHI2cVdvdW5RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
    }
  ],
  "nextCursor": ""
}

RA provisioners

{
  "provisioners": [
    {
      "type": "OIDC",
      "name": "staff",
      "clientID": "1026597402773-hl8jmht7qb44tcp0gk3l8j346n228c0d.apps.googleusercontent.com",
      "clientSecret": "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",
      "configurationEndpoint": "https://accounts.google.com/.well-known/openid-configuration",
      "admins": [
        "luca@admin.proculair.com",
        "egidius@admin.proculair.com",
        "mink@admin.proculair.com"
      ],
      "domains": [
        "proculair.com",
        "admin.proculair.com"
      ],
      "listenAddress": ":1946",
      "claims": {
        "maxTLSCertDuration": "12h0m0s",
        "defaultTLSCertDuration": "8h0m0s",
        "enableSSHCA": false,
        "disableRenewal": true,
        "allowRenewalAfterExpiry": false,
        "disableSmallstepExtensions": false
      },
      "options": {
        "x509": {
          "template": "{\n    \"subject\": {\n        \"commonName\": {{ toJson .Token.email }},\n        \"organizationalUnit\": \"Staff\",\n        \"organization\": \"Proculair B.V.\",\n        \"country\": \"NL\"\n    },\n    \"sans\": [\n        {\"type\": \"email\", \"value\": {{ toJson .Token.email }}}\n    ],\n    \"keyUsage\": [\"digitalSignature\"],\n    \"extKeyUsage\": [\"clientAuth\"],\n    \"issuingCertificateURL\": [\"https://pki.proculaircontent.com/prc-pki-intermediate-1.crt\"]\n}\n"
        },
        "ssh": {

        }
      }
    },
    {
      "type": "ACME",
      "name": "acme",
      "forceCN": true,
      "challenges": [
        "http-01",
        "dns-01",
        "tls-alpn-01"
      ],
      "claims": {
        "maxTLSCertDuration": "12h0m0s",
        "defaultTLSCertDuration": "8h0m0s",
        "enableSSHCA": false,
        "disableRenewal": false,
        "allowRenewalAfterExpiry": false,
        "disableSmallstepExtensions": false
      },
      "options": {
        "x509": {
          "template": "{\n    \"subject\": {\n        \"commonName\": {{ toJson .Subject.CommonName }},\n        \"organization\": \"Proculair B.V.\",\n        \"country\": \"NL\"\n    },\n    \"sans\": {{ toJson .SANs }},\n    \"keyUsage\": [\"digitalSignature\"],\n    \"extKeyUsage\": [\"serverAuth\", \"clientAuth\"],\n    \"issuingCertificateURL\": [\"https://pki.proculaircontent.com/prc-pki-intermediate-1.crt\"]\n}\n"
        },
        "ssh": {

        },
        "webhooks": [
          {
            "id": "8f5c40e0-f0ff-4195-93e6-253b2631e597",
            "name": "authorise",
            "url": "https://pki.proculairworkers.com/api/v1/acme/acme",
            "kind": "ENRICHING",
            "certType": "X509"
          }
        ]
      }
    },
    {
      "type": "ACME",
      "name": "endpoint",
      "challenges": [
        "device-attest-01"
      ],
      "attestationFormats": [
        "apple"
      ],
      "claims": {
        "maxTLSCertDuration": "12h0m0s",
        "defaultTLSCertDuration": "8h0m0s",
        "enableSSHCA": false,
        "disableRenewal": true,
        "allowRenewalAfterExpiry": false,
        "disableSmallstepExtensions": false
      },
      "options": {
        "x509": {
          "template": "{\n    \"subject\": {\n        \"commonName\": {{ toJson .Webhooks.authorise.serial }},\n        \"organizationalUnit\": \"Endpoints\",\n        \"organization\": \"Proculair B.V.\",\n        \"country\": \"NL\"\n    },\n    \"sans\": {{ toJson .SANs }},\n    \"keyUsage\": [\"digitalSignature\"],\n    \"extKeyUsage\": [\"clientAuth\"],\n    \"issuingCertificateURL\": [\"https://pki.proculaircontent.com/prc-pki-intermediate-1.crt\"]\n}\n"
        },
        "ssh": {

        },
        "webhooks": [
          {
            "id": "a6475296-9b67-45f0-9c55-d84e31bba937",
            "name": "authorise",
            "url": "https://pki.proculairworkers.com/api/v1/acme/endpoint",
            "kind": "ENRICHING",
            "certType": "X509"
          }
        ]
      }
    }
  ],
  "nextCursor": ""
}

[lucacastelnuovo]

The RA policy block was also ignored, only the CA's policy block is checked. This is IMO fine because it seems to be more the CA's job. But the template per provisioner seems to me to very much be the RA's job.

[tashian]

In this setup, the RA only handles certificate request authentication, and the CA issues the certificate. The CA is where your templates reside, because the CA is the signer. The RA then relays signed certificates back to its clients.

[lucacastelnuovo]

Thank you for your quick response. I understand. How can I have a separate template per provisioner?

[hslatman]

You can find some documentation on that there: https://smallstep.com/docs/step-ca/templates/#configuring-step-ca-to-use-templates.

[lucacastelnuovo]

@hslatman I understand how to setup templates, but how do I setup templates for different provisioners if they do not exist on the CA only on the RA? (I have added my provisioner config in the initial comment)

[hslatman]

In the current architecture it would require setting up multiple RAs against different JWK or X5C provisioners, which would then have their own templates.

[lucacastelnuovo]

@hslatman thank you for your idea. I had not thought of that. It is not ideal but it would work.