Customize TLS default cipher suite and key type

[himdeeppathak]

For my non-prod environment, while initializing CA, I would like to use different Key Types and Ciphers(https://smallstep.com/docs/step-ca/certificate-authority-server-production/#key-types-and-ciphers) instead of defaults
I would like to use
key type RSA instead of default ECDSA and
Non-EC/non-ephemeral ciphers (TLS_RSA_WITH_AES_128_GCM_SHA256) instead of
default "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"

How can I achieve it?

[tashian]

For the CA key type, we don't support initializing a CA with RSA root and intermediate. You'll need to create your own root and intermediate RSA keys and certificates, and replace the ones that are generated automatically by step ca init. You can just shut down the server, replace those four files with your own, and restart the server.

You can generate the RSA root and intermediate with these commands:

# Create root
step certificate create root-ca root-ca.crt root-ca.key \
  --kty RSA --profile root-ca
# Create intermediate and sign it with root
step certificate create root-ca intermediate-ca.crt intermediate-ca.key \
  --kty RSA --profile intermediate-ca --ca root-ca.crt --ca-key root-ca.key

Then, when you request certificates with step ca certificate, you'll need to add --kty RSA or set STEP_KTY=rsa.

As for the TLS cipher suites, you can change the cipher suits that step CA uses under the tls section of the CA configuration file. See our Configuration page for a full config file example that shows the structure of the JSON.