Allow step-cli to bootstrap the intermediate_ca certificate #2391
Description
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Hi, I recently started using step-ca in a docker container and I must say that it felt quite rewarding to see that custom SSL certificate in my browser for the first time after 3 hours of working my head around this complicated stuff.
This is more likely a "nice to have" feature and not an issue in the first place.
Anyway, as I was playing around with the certificates, I noticed that my browser (Firefox) automatically recognized the certificate chain as follows:
I had to import my Root CA certificate as described in the documentation and it worked flawlessly after using this command &".\step_windows_amd64\bin\step.exe" ca bootstrap --ca-url "<ca_host>" --fingerprint "<root_certificate_fingerprint>" --install.
When I clicked on an issued certificate, I noticed that Windows itself could not resolve the full path like the browser:
When I exported and installed the "intermediate_ca.crt" file on my computer, it allowed Windows to gasp the complete chain:
I am not sure if the "intermediate_ca.crt" is meant to be installed on a system because it works in the browser regardless, but I think it's nice to have it.
I tried the following command to install it, similar to the Root CA: &".\step_windows_amd64\bin\step.exe" ca bootstrap --ca-url "<ca_host>" --fingerprint "<intermediate_certificate_fingerprint>" --install but it could not find a matching certificate. The API did not seem to provide the "intermediate_ca.crt" file either.
Is there a different way to solve this "problem"?
Why is this needed?
I don't think this is a necessary addition, but it would be cool if the command &".\step_windows_amd64\bin\step.exe" ca bootstrap --ca-url "<ca_host>" --fingerprint "<any_certificate_fingerprint> would work for other certificates than the Root CA.