"step ca certificate" works with PKCS11

[yangfande362]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Now we want to generate the leaf certificate by the "step ca certificate", and hope it can use the private key in the TPM2.0 via PKCS11 which created by the "step-kms-plugin".
But we failed, when we used such a command "step ca certificate 10.72.1.101 /etc/nginx/conf.d/certs/nginx-0620.crt pkcs11:id=10000000 --token a-token --ca-url=https://192.168.51.101:6000 --root=/etc/nginx/conf.d/certs/root_ca.crt" , and expect to generate a certificate and no private file cause the private key exists in the KMS URI, but actually there genetate a private key which file name was "pkcs11:id=10000000", and the content of the file exactly is a private key, it seems the KMS parameter was not useful, and can't use the private key which existed in the TPM 2.0.

Why is this needed?

We want to use TPM 2.0 to protect our CA private key as the same as the leaf private key.

[yangfande362]

Suppliment, I found it was supported with "step certificate create" and "step ca renew", so it should also support with "step ca certificate" , is there have something wrong with my usage?
See also #1353

And when I tried to use "step ca renew" to renew a certificate created by "step certificate create" both via KMS, it failed as well,
It seems "step ca renew" must work with "step ca certificate".

[yangfande362]

When I try to renew with a certificate which generated by "step certificate create" by following command ```
step ca renew --kms 'pkcs11:module-path=/usr/local/lib/libtpm2_pkcs11.so;token=mykey?pin-value=Obcu@ca' --force --ca-url=https://192.168.51.101:6000 --root /etc/nginx/conf.d/certs/root_ca.crt nginx-tpm.crt pkcs11:id=10000000;object=obcuca

the console shows like this

error validating renew token
Re-run with STEPDEBUG=1 for more info.
github.com/smallstep/cli/command/ca.(*renewer).Renew
github.com/smallstep/cli/command/ca/renew.go:484
github.com/smallstep/cli/command/ca.renewCertificateAction
github.com/smallstep/cli/command/ca/renew.go:341
github.com/smallstep/cli/command/ca.renewCertificateCommand.ActionFunc.func1
github.com/smallstep/cli-utils@v0.12.1/command/command.go:38
github.com/urfave/cli.HandleAction
github.com/urfave/cli@v1.22.16/app.go:522
github.com/urfave/cli.Command.Run
github.com/urfave/cli@v1.22.16/command.go:175
github.com/urfave/cli.(*App).RunAsSubcommand
github.com/urfave/cli@v1.22.16/app.go:405
github.com/urfave/cli.Command.startApp
github.com/urfave/cli@v1.22.16/command.go:380
github.com/urfave/cli.Command.Run
github.com/urfave/cli@v1.22.16/command.go:103
github.com/urfave/cli.(*App).Run
github.com/urfave/cli@v1.22.16/app.go:277
main.main
./main.go:73
runtime.main
runtime/proc.go:283
runtime.goexit
runtime/asm_amd64.s:1700

[yangfande362]

After all, I used "step certificate create --csr" firstly, then used "step ca sign" to sign for a leaf certificate for nginx, and then it worked well with "step ca renew".

so when via PKCS11, if want to use "step certificate create" generate a new certificate one-step, it still can not successful, because the command can not reference the pricate key in PKCS11 URI.