`step_ca_certificate`: add `state` parameter

Question

`step_ca_certificate`: add `state` parameter

maxhoesel opened this issue 2 years ago · 0 comments

Right now, the step_ca_certificate module simply calls step-cli without checking for any existing certificates.
This results in the following behavior:

If force is false: On the second run, step-cli asks for confirmation for overwriting the existing cert, causing the module to fail.
If force is true: The certificate is always overwritten, even when this is not needed.

Neither of these are really ideal from a user POV.
As a user, I would like the step_ca_certificate module to ensure that a valid certificate with the desired properties exists on the system, regardless of the underlying details.
Such a valid certificate must:

Be present at the given path
Have correct parameters, such as SANs
Be valid (not expired)

It should be step_ca_certificates job to ensure that these conditions are met, whether that includes creating a new certificate or not.

I propose the following approach to accomplish this:

Introduce the serial_number parameter and other parameters from step_ca_revoke
Introduce the revoke_on_delete parameter
Introduce a state parameter with the following options:
- present
  - If the certificate doesn't exist, is expired or has a SAN parameter mismatch, create a new certificate
  - Else, do nothing
- revoked
  - Use either the path or the serial number and ensure that the given certificate is revoked.
- absent
  - Delete the certificate from the system
    - If revoke_on_delete is true, revoke the certificate first
Change the force parameter behavior: Instead of passing force on the command line to replace existing files (which we pretty much always want given the above model), use of force with present will now generate a new certificate on every single run.

Implementing this feature would require a few steps: