sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
cdn-ops/global/overlay/etc/puppet/modules/cdn/files/set-provisioner-pw
Patrik Lundin d9db9fee72
Add init script for setting provisioner file 
This is to deal with the problem that it makes sense to have a separate
passsword for encryption keys and the admin provisioner. It is currently
not possible to control this via the docker env flags so add this
workaround for now.
2024-10-08 12:35:41 +02:00

37 lines
2.3 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
# When initializing step-ca with the docker flag STEPCA_INIT_PASSWORD_FILE the
# password will be used both for key encryption as well as the admin "step"
# provisioner. If not using that flag a separate password will be generated for
# each usage. This seems better as you are not typing the encryption password
# any other time, while the provisioner password is used anytime you are
# managing things.
#
# This script is used on first setup of step-ca to modify the provisioner to
# use its own password instead. Pending
# https://github.com/smallstep/cli/pull/1294 you need to supply the new
# password by hand, see below for the commented out command.
# If we detect that the key-password is still valid for the provisioner change it.
if step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password > /dev/null 2>&1; then
echo "admin provisioner still using encryption key password, changing it"
# Change the provisioner password
# https://smallstep.com/docs/step-ca/provisioners/#changing-a-jwk-provisioner-password
OLD_ENCRYPTED_KEY=$(step ca provisioner list | jq -r '.[] | select(.name == "admin").encryptedKey')
# Unfortunately not possible to supply --password-file to "crypto jwe encrypt" yet, pending https://github.com/smallstep/cli/pull/1294
#ENCRYPTED_KEY=$(echo $OLD_ENCRYPTED_KEY | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW --password-file /opt/step-ca/init/secrets/provisioner-password | step crypto jose format)
ENCRYPTED_KEY=$(echo "$OLD_ENCRYPTED_KEY" | step crypto jwe decrypt --password-file /opt/step-ca/init/secrets/key-password | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format)
step ca provisioner update admin --private-key=<(echo -n "$ENCRYPTED_KEY") --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/key-password
# Now verify that we can use the expected password for the admin provisioner
if ! step ca admin list --admin-subject=step --admin-password-file=/opt/step-ca/init/secrets/provisioner-password > /dev/null 2>&1; then
echo "tried updating provisioner password but it does not work!"
exit 1
fi
else
echo "admin provisioner not using encryption key password, doing nothing"
fi
Reference in a new issue View git blame Copy permalink