Removing "Smallstep CA Provisioner ID" X509 Extension from Certificate

[frank-park]

Is there any way to remove the "Smallstep CA Provisioner ID" extension (1.3.6.1.4.1.37476.9000.64.1) from the certificates being created by step-ca?

[hslatman]

Hey @frank-park, currently we don't support disabling the extension from being added. We rely on the value of the extension when a certificate is renewed via the /renew endpoint to load the right provisioner details for authorization. This method of renewal is used by our step CLI, so we would have to decide on how to handle renews in case the provisioner can't be (verifiably) loaded from the certificate.

We have an open issue tracking this functionality: #620. You can give it a thumbs-up and/or add your use case to it for more context.

What's the reason you would like the extension to not exist in the issued certificate? We're not marking it critical, so a compliant system should ignore the unknown extension. Of course in practice this may not be the case 😅

[frank-park]

The current PKI ecosystem that we are working with does not allow any other extensions except the ones specified in the policy. Unfortunately, this extension is not part of it and need to be removed in order for us to use smallstep.

This policy administrator and policy is part of the federal level regulation and cannot be negotiated.

Thanks for the feedback and I'll upvote.

[maraino]

Just mentioning here that there are a couple of PR addressing this discussion. Once merged, you will be able to disable the smallstep extensions per provisioner or globally.

• Add support for the disableSmallstepExtensions claim #1484
• Allow to disable smallstep extensions using the cli cli#986