Configure step-ca with an RSA certificate chain



Some legacy applications require a certificate chain that uses RSA keys, but step ca init creates a PKI that uses ECDSA keys by default. In this tutorial, you will replace the default ECDSA chain with an RSA chain.

First, stop your step-ca server if it is running.

Next, delete your existing PKI and create RSA root and intermediate certificates and keys. This step will overwrite your existing CA.

step certificate create "Example Root CA" \ $(step path)/certs/root_ca.crt \ $(step path)/secrets/root_ca_key \ --profile root-ca \ --kty RSA step certificate create "Example Intermediate CA" \ $(step path)/certs/intermediate_ca.crt \ $(step path)/secrets/intermediate_ca_key \ --profile intermediate-ca \ --ca $(step path)/certs/root_ca.crt \ --ca-key $(step path)/secrets/root_ca_key \ --kty RSA

Change the certificate subject names as desired. You'll be prompted to supply a password to encrypt your private keys.

You can now restart step-ca server.