Step-CA: Change Certificate Authority and Intermediate Authority Encryption type and key size

Step-CA is a decent CA management program but it has one issue, its annoying to set the algorithm on the CA and intermediate CA. So I spent the day figuring it out. Here are the results.

Choosing the Right Key Type

There are 3 supported key types : EC (elliptic curve), OKP (octet for “Ed25519” curve), and RSA (Rivest-Shamir-Adleman) and is signaled with the –kty parameter. For EC and OKP, you can choose a curve with –crv. Values are: P-256 (NIST P-256 Curve), P-384 (NIST P-384 Curve), P-521 (NIST P-521 Curve), and Ed25519 (Ed25519 Curve). For RSA and OCT keys, you can choose a key size in bits with –size. In my example, I used RSA with a 16384 and 8192 bit key size

ECC vs RSA

I chose to go with RSA with a very large key size for my rollout of my CA. Some might ask why? It’s a “Legacy” protocol and everyone is moving to Elliptical Curve. Well there are many reasons, but the reason I chose RSA was quantum computers. RSA is more secure against quantum computers because of its keysize mainly. See the qubits required to crack RSA keys are estimated to be 2 x bits while ECC is roughly 6 x bits. This means that ECC is harder to crack (but not full proof), but because its key sizes are much smaller, the advantage goes away. See this table:

|           RSA       |           ECC       |
| Key Length | qubits | Key Length | qubits |
|------------|--------|------------|--------|
| 1024       | 2048   | 163        | 1000   |
| 2048       | 4096   | 224        | 1300   |
| 3072       | 6144   | 256        | 1500   |
| 4096       | 8192   | 383        | 2300   |
| 15360      | 30720  | 512        | 3000   |

There are other reasons I chose not to go with ECC, for example its ultra-reliance on primes and the scandals around number generators that I won’t get into.

But please don’t take my words as gospel. ECC has many advantages that cannot be understated, like its speed for key generation, use, etc. There are endless fights about what is best. Both are deemed secure by NIST and the NSA. For their recommendations, see this website: https://www.keylength.com/. I am eagerly waiting for the NIST post quantum results on the new standards for encryption and signing built to be hardened against quantum computers, but until then, we will only have these choices. My only recommendation is whatever the standard is for the time, go a step or two above. Example, RSA 3072 is the recommended RSA key size with 2048 being the minimum, I’d deploy with a RSA 4096 or 8192 key size for better long longevity. ECC 383/384 is the recommended size while 256 is the minimum. I’d use 512/521 if deploying fresh. you never know how long a system will be in play for.

 

Change the CA Algorithm

To start with, follow the instructions to install step-ca from their website and then follow the getting started instructions for init’ing the CA.

 

Change CA

Notes:

  • I am running this server on Arch, so my commands are slightly different. step is replaced with step-cli and step ca is replaced with step-ca
  • The password field for the key seems to be sensitive to some characters. In my testing ; caused the key to not work properly.
  • The hashing algorithm appears to be hard-coded, and cannot be changed. RSA is SHA256 and EC looks to be SHA384, but it could also SHA256. You can do it in something like openssl and then import the CA’s. https://smallstep.com/docs/tutorials/intermediate-ca-new-ca

 

Generating a New CA

There are 2 ways to generate a new CA, one way is with step itself, or you can use openssl for a few more options like hash algorithm, validity time, etc, but it is full of landmines that you will step on and ruin your day with.

With step

step-cli certificate create --profile root-ca --kty RSA --size 16384 \
'Your CA' $(step-cli path)/certs/root_ca.crt $(step-cli path)/secrets/root_ca_key

With opessl

openssl genrsa -aes256 -out $(step-cli path)/secrets/root_ca_key 16384
openssl req -x509 -new -nodes -key $(step-cli path)/secrets/root_ca_key -sha3-512 -days 3650 -out $(step-cli path)/certs/root_ca.crt

Generate Intermediate CA

With step

step-cli certificate create --profile intermediate-ca --kty RSA --size 8192 \
--ca $(step-cli path)/certs/root_ca.crt --ca-key $(step-cli path)/secrets/root_ca_key 'Your Intermediate CA' $(step-cli path)/certs/intermediate_ca.crt $(step-cli path)/secrets/intermediate_ca_key

With openssl (you’re going to have a bad time)

#gen the key
openssl genrsa -aes256 -out intermediate_ca_key 8192

#gen cert request
openssl req -new -sha3-512 -key intermediate_ca_key -out intermediate_ca.csr

#fufill cert request
openssl ca -extensions v3_ca -days 3650 -md sha3-512 -cert root_ca.crt -keyfile root_ca_key -in intermediate_ca.csr -out intermediate_ca.cer -outdir /home/step/

#move the generated cert and key to step
mv intermediate_ca_key $(step-cli path)/secrets/intermediate_ca_key
mv intermediate_ca.cer $(step-cli path)/certs/intermediate_ca

Restart the service and you are good to go.

 

About: Ryan Parker

I'm a former captain of the Cyber Defense team, Current Infrastructure Security Specialist. I also have a side job helping small to medium business with anything technology doing everything imaginable. One of my hobbies is building out infrastructures for myself, friends, and clients. I current maintain a homelab with about 2TB of RAM, 180+ TB of storage, tons of CPU cores, and 100gbit networking backbone.


Leave a Reply

Your email address will not be published. Required fields are marked *