Feature Request: Option to bypass KeyUsage validation during certificate signing #2415
Description
Description
In certain environments with pre-existing PKI infrastructure, root CA certificates may lack the keyCertSign (and/or crlSign) KeyUsage flags, even though they are trusted and functionally valid within the organization. Currently, step-ca enforces strict KeyUsage validation during certificate signing, which prevents issuing certificates from such root CAs—even when the operational context deems it acceptable.
This request is for a configurable mechanism to optionally bypass KeyUsage validation for certificate signing operations, to support compatibility with legacy or non-conforming—but trusted—PKI setups.
Use Case
Organizations migrating to step-ca may rely on root certificates that do not strictly comply with RFC 5280 KeyUsage requirements. Replacing these root certificates can be operationally infeasible due to scale, legacy system dependencies, compliance constraints, or risk of service disruption.
Desired Behavior
Provide a way—via configuration or command-line option—to disable KeyUsage validation for certificate signing. The feature should:
Be disabled by default
Apply at an appropriate scope (e.g., authority-wide or per provisioner)
Include clear documentation and runtime warnings when enabled
Not compromise security for users who do not explicitly opt in
Additional Context
The current validation is implemented as part of the certificate signing pipeline and aligns with best practices, but real-world PKI deployments sometimes require flexibility. This request seeks a pragmatic, opt-in escape hatch for such scenarios without altering default secure behavior.