New Certifcates are all signed by an unknown authority.

[NoobSpielt]

Hey!

I am quite new with step ca so probably I just did some stupid error.

I installed Step-Ca with that Documentation: https://smallstep.com/docs/step-ca/getting-started

With that I created a root and a intermedia ca cert.

Now when I create a client cert via this command: step ca certificate example.com --san example.com --san 10.0.50.10 eaxmple.com.crt example.com.key It seems fine, it creates the cert and we are all happy :P.

But now when I want to acces the the website with https it says the cert is not trusted. With that I tried using step certificate inspect https://example.com. I got following error: failed to connect: x509: certificate signed by unknown authority

But when i try step certificate inspect https://example.com --roots .step/certs/intermediate_ca.crt everything seems to be working great,

So why does my machine only trust the root ca and not the intermedia and if I need to trust the intermedia also why isnt it automatacly installed on the machine with: step ca bootstrap ?

[maraino]

You need to install your root certificate in your truststore. To do this you can run:

step certificate install ~/.step/certs/root_ca.crt

See the flags using step certificate install --help for the install options.

[NoobSpielt]

hmm. I only tried curl for that, but step certificate inspect --roots $(step path)/certs/root_ca.crt https://example.com didnt work either. Only with the intermedia cert.

[maraino]

Only with the intermedia cert.

Oh, then the problem is that the certificate served by your server should include the intermediate cert too.

When you do step ca certificate example.com example.crt example.key, the dot crt file includes both server certificate an intermediate, and that's what it should be use.

Check for example this:

step certificate inspect --format pem --bundle --short https://smallstep.com

-- it shows multiple intermediates

[NoobSpielt]

ahh so the crt for example.com should include the intermedia and the normal cert I see thanks for that.

But is there any way to skip that without installing the intermedia cert on any machine? I have 2 machines were it is not possible for me to include the intermedia.

[maraino]

If you cannot add the intermediate the only solution is to install also the intermediate into your truststore. But those machines are not really following the X.509 standard. They won't work if, for example, you want to open those to the internet using a public PKI.

It's also possible to generate leaf certificates from the root, so the intermediate is not necessary, but you cannot really do that with step-ca. You should use step certificate create for that.

[NoobSpielt]

Thank u very much for all that good information! It helped me really much ❤️