Adding and (keeping up to date) a user cert in a local user store for authenticating to websites that require mTLS

[dopey]

@carpenike I am paraphrasing from Gitter (hope that's ok).

Traditional AD environments would handle this via AD integrated CAs and handle user cert provisioning via GPO

StepCA defaults to 24hr certs so there needs to be a way to keep that cert in the user store current.

An example of a solution that worked on Windows using a scheduled task:

step ca renew --daemon --exec "powershell.exe -command Get-Childitem -Path C:\tools\step-ca\client.crt | Import-Certificate -CertStoreLocation Cert:\CurrentUser\My" client.crt client.key

Would be great to have documentation for iOS devices too.
End goal being mTLS auth to web services via browser.

[carpenike]

Yup this sounds about right! It operates a bit strange but it does appear to renew certs everyday.

[maraino]

We should add this to the step ca renew help too.

[carpenike]

Would be nice if the user cert could be imported to the store the same way the tool imports the root_ca cert into the root store.

[dopey]

Hey @carpenike, we discussed this a bit today. As of now, we don't exactly know where this type of documentation should live. We're trying to move the Smallstep docs away (at least in the short term) from documenting every mTLS setup and configuration. Once we get past the most common scenarios it can become very nuanced and bespoke.

While we give ourselves some more time to figure out where these sorts of docs/tutorials should live, I'm going to convert this issue to a discussion on the certificates repo. That way we can continue to collect use cases in a more open forum.

[Yamakaky]

Did you consider creating a browser extension for that? I don't know if they can manage client certificates?