Using ACME to issue Sub CA certs

[alexmartinio]

This may be a strange use case.

Can we use step-ca as our Root CA and use the ACME protocol to submit a Sub CA signing request automatically?
For example:

Root CA (step-ca) > Sub CA 1 (Windows CA)
                  > Sub CA 2 (Windows CA)
                  > Sub CA 3 (Windows CA)

When setting up a Windows Subordinate CA you get the CSR, to be signed by the Root CA, this is what I'm wanting to know if we can use with the ACME protocol.

Looking to use the Ansible ACME modules to deploy Subordinate CAs automatically.

Thanks!

[dopey]

Hey @alexmartinio, thanks for opening a discussion!

Just want to make sure I understand your question. You basically want to sign Intermediate certificates using the ACME protocol. Is that right?

If so, great question. This is possible with step-ca but not quite in the way that you describe. We have a new concept called "templates" that were recently released. You can attach a template to a provisioner and then any certificate generated by that provisioner will pull in features/attributes from the template. Here's a blog post announcing the feature with some example use cases. We also have more in depth documentation that just hasn't been released yet.

Basically you'd have a template like this one:

{
	"subject": {{ toJson .Subject }},
	"keyUsage": ["certSign", "crlSign"],
	"basicConstraints": {
		"isCA": true,
		"maxPathLen": 0
	},
}

That always set the isCA property to true. You could then add something like:

{
	"subject": {{ toJson .Subject }},
	"keyUsage": ["certSign", "crlSign"],
	"basicConstraints": {
		"isCA": true,
		"maxPathLen": 0
	},
	{{/* All fields are optional, and all but "critical" can be a string or an array of strings */}}
	"nameConstraints": {
		"critical": true,
		"permittedDNSDomains": ["example.com"]
	}
}

So that any downstream certificates had to be subdomains of the subCA, if you wanted.

Careful using your CA to generate subCAs - especially with the ACME protocol. If I gain access to your infrastructure and manage to get an ACME cert I can then go and create my own certificates for anything I want. Using something like PermittedDNSDomains would help to quash some of those concerns.

[mmalone]

Welp, this question became my challenge for today. The answer seems to be that you can definitely sort of do this, but it's by no means streamlined and you're gonna need to really do your homework. As @dopey mentioned above, it's not strange so much as it is potentially dangerous.

You'll need to use certificate templates, and you should be aware that ACME is only doing domain validation and if you set this up naively (as my example does) anyone who can connect to your ACME CA will be able to get an intermediate signing certificate and use it to sign any leaf certificate(s) they want.

You can probably combine what I've done with the technique for filtering certificate requests by subject domain name in our certificate templates blog post.

Anyways, without further ado, here's an example of this working end-to-end: https://gist.github.com/mmalone/f461643e927f8fb7e8eafebf31a57a17

There are a bunch of caveats and limitations. I'm sure I'm missing some of them, but here are a few:

1. step-ca can only sign using its intermediate, not its root, so the only way to make this work (for now) is to have multiple intermediates (root -> ACME server intermediate -> ACME client intermediate -> leaf) with the second CA's signing cert signed by the first CA's intermediate.
2. When step-ca issues a leaf it expects there to be only one intermediate, so the certificate bundle it generates won't have both of the intermediates in it. I've solved this by using the "ACME server intermediate" as the root for the "ACME client intermediate", fetching the "real" root separately, and then manually appending the "ACME server intermediate" after obtaining a certificate.

This all feels very confusing and I'm pretty sure it's not going to make any sense. It may be better to just look at the code. I'm also happy to answer questions.

Final thought: what are you really trying to do here? Are you sure this is the right solution? Not saying it's not, but if you can share more details about your use case / requirements we may be able to suggest alternatives.

[alexmartinio]

Haha apologies for the challenging question! I realise you would never really want to do this in the real world (definitely potentially dangerous!).

So the scenario is, we have a demo environment with multiple labs. Each lab has its own Root certificate authority (currently Windows ADCS Root CA).

The biggest problem right now is that it's difficult to revoke all the issued certificates for a single lab.
What we want to be able to do is create a Root CA, outside of these labs. When bringing a lab up, get the Windows ADCS server to act as a Subordinate instead, passing its generated CSR to the Root outside and getting it signed. Then if the lab needs to be revoked, we can do the revocation from the Root CA side, (or higher up the chain).

Since this all needs to be done automagically I was looking to see if this could be achieved using the ACME protocol to sign each created Windows ADCS Subordinate.

So I think it might look something like this:

(A) Root CA (Step-CA) > (B) Sub CA (Step-CA Subordinate) > (C) Sub CA (Windows CA Subordinate) Lab 1 > (D) End-User Cert
                                                         > (C) Sub CA (Windows CA Subordinate) Lab 2 > (D) End-User Cert
                                                         > (C) Sub CA (Windows CA Subordinate) Lab 3 > (D) End-User Cert

If we want to revoke the Lab 1 for example, could we then ask (B) Sub CA to revoke the (C) Sub CA (Windows CA Subordinate) Lab 1 which will cause all the (D) End-User Certs to be untrusted? (assuming things check CRL lists)

[mmalone]

@alexmartinio ah, ok. Yes, and if this is just a demo environment and not super security-sensitive I feel a lot better about it! The gist I linked above does basically what you've described here, except instead of the Sub CA running ADCS it's just running another instance of step-ca. So if you poke around those scripts you should find all of the bits and pieces you need.

If you have any other questions or if the gist just doesn't make sense lemme know and I can try to clarify! Also happy to hop on a zoom or something if it's easier.