-
|
I am using the docker images for step ca, and in that regards it will automatically set up the "--remote-management" which puts in a JWK with the "encryptedKey" in to the provisioners. Im no expert in JWT, but say i wanted to reverse proxy connections from the internet to the CA according to the production considerations in https://smallstep.com/docs/step-ca/certificate-authority-server-production/#run-a-reverse-proxy Wouldnt it be something that anyone could fetch and start cracking away at? Mind you that admin endpoints are not exposed and the password is very secure (bruteforcing unfeasible atm but if moore's law is true, eventually it will not be) Or am i just paranoid and this is normal practice? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @ch0wm3in, you're right that someone could start cracking the Here's some docs on that: https://smallstep.com/docs/step-ca/provisioners/#removing-the-encrypted-private-key-from-a-jwk-provisioner. That said, in our general production considerations we mention to use strong passwords, which, as you mentioned, should protect you from the key getting decrypted: https://smallstep.com/docs/step-ca/certificate-authority-server-production/#use-strong-passwords-and-store-them-well. |
Beta Was this translation helpful? Give feedback.
Hi @ch0wm3in, you're right that someone could start cracking the
encryptedKey, but you can remove it from the provisioner as long as you provide it on the client side every time it's required. It's provided for convenience.Here's some docs on that: https://smallstep.com/docs/step-ca/provisioners/#removing-the-encrypted-private-key-from-a-jwk-provisioner.
That said, in our general production considerations we mention to use strong passwords, which, as you mentioned, should protect you from the key getting decrypted: https://smallstep.com/docs/step-ca/certificate-authority-server-production/#use-strong-passwords-and-store-them-well.