diff --git a/step-ca/cryptographic-protection.mdx b/step-ca/cryptographic-protection.mdx index fdb1c893..54fd0050 100644 --- a/step-ca/cryptographic-protection.mdx +++ b/step-ca/cryptographic-protection.mdx @@ -2,7 +2,7 @@ title: Cryptographic Protection html_title: Secure Cryptographic Key Protection Methods description: Secure private keys in step-ca deployments. Hardware security modules, key management, and cryptographic best practices for enterprise PKI. -updated_at: September 17, 2025 +updated_at: February 02, 2026 --- By default, `step-ca` stores its signing keys encrypted on disk. @@ -74,8 +74,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub ```shell nocopy $ step certificate create --profile root-ca \ - --kms 'cloudkms:' \ - --key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \ + --key 'cloudkms:projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \ "Smallstep Root CA" root_ca.crt ``` @@ -91,11 +90,10 @@ Great. Next, repeat the process for the Intermediate CA: $ step kms create --json --kms 'cloudkms:' \ 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate' $ step certificate create --profile intermediate-ca \ - --kms 'cloudkms:' \ --ca-kms 'cloudkms:' \ --ca root_ca.crt \ --ca-key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \ - --key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate/cryptoKeyVersions/1' \ + --key 'cloudkms:projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate/cryptoKeyVersions/1' \ "Smallstep Intermediate CA" intermediate_ca.crt ``` @@ -230,8 +228,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub ```shell nocopy $ step certificate create --profile root-ca \ - --kms 'awskms:region=us-east-2' \ - --key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \ + --key 'awskms:region=us-east-2;key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \ "Smallstep Root CA" root_ca.crt ``` @@ -246,11 +243,10 @@ Great. Next, we'll repeat the process for the Intermediate CA: ```shell nocopy $ step kms create --json --kms 'awskms:region=us-east-2' intermediate-ca $ step certificate create --profile intermediate-ca \ - --kms 'awskms:region=us-east-2' \ --ca-kms 'awskms:region=us-east-2' \ --ca root_ca.crt \ --ca-key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \ - --key 'awskms:key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \ + --key 'awskms:region=us-east-2;key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \ "Smallstep Intermediate CA" intermediate_ca.crt ``` @@ -483,7 +479,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub ```shell nocopy $ step certificate create --profile root-ca \ - --kms "$PKCS_URI" + --kms "$PKCS_URI" \ --key "pkcs11:id=7331;object=root-ca" \ "Smallstep Root CA" root_ca.crt ``` @@ -626,7 +622,6 @@ and sign an Intermediate CA certificate: ```shell nocopy $ step kms create --json 'tpmkms:name=my-intermediate-ca' $ step certificate create --profile intermediate-ca \ - --kms 'tpmkms:' \ --ca root_ca.crt \ --ca-key root_ca.key \ --key 'tpmkms:name=my-intermediate-ca' \ @@ -725,8 +720,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub ```shell nocopy $ step certificate create --profile root-ca \ - --kms 'yubikey:pin-value=123456' \ - --key 'yubikey:slot-id=82' \ + --key 'yubikey:slot-id=82?pin-value=123456' \ "Smallstep Root CA" root_ca.crt ``` @@ -743,11 +737,10 @@ Great. Next, we'll repeat the process for the Intermediate CA: ```shell nocopy $ step kms create --json 'yubikey:slot-id=83' $ step certificate create --profile intermediate-ca \ - --kms 'yubikey:pin-value=123456' \ --ca-kms 'yubikey:pin-value=123456' \ --ca root_ca.crt \ --ca-key 'yubikey:slot-id=82' \ - --key 'yubikey:slot-id=83' \ + --key 'yubikey:slot-id=83?pin-value=123456' \ "Smallstep Intermediate CA" intermediate_ca.crt ```