From c3671ad867cbe4966753d9132f18f54e408c6a95 Mon Sep 17 00:00:00 2001 From: Omkar Gajare Date: Tue, 12 May 2026 00:03:54 +0530 Subject: [PATCH 1/2] Add --token-file flag to step ca certificate --- CHANGELOG.md | 1 + command/ca/certificate.go | 20 ++++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86ae0c82f..275ffaa84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Added +- Add `--token-file` flag to `step ca certificate` to read the token from a file. - Support for inspecting certificates with post-quantum algorithms ML-DSA and SLH-DSA (smallstep/certinfo#69). diff --git a/command/ca/certificate.go b/command/ca/certificate.go index 74ea4db94..47a92b7fe 100644 --- a/command/ca/certificate.go +++ b/command/ca/certificate.go @@ -15,6 +15,7 @@ import ( "github.com/smallstep/cli/flags" "github.com/smallstep/cli/token" + "github.com/smallstep/cli/utils" "github.com/smallstep/cli/utils/cautils" ) @@ -182,6 +183,10 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`, Usage: "The directory where TPM keys and certificates will be stored", Value: filepath.Join(step.Path(), "tpm"), }, + cli.StringFlag{ + Name: "token-file", + Usage: "The path to a containing the one time token.", + }, flags.TemplateSet, flags.TemplateSetFile, flags.CaConfig, @@ -232,14 +237,17 @@ func certificateAction(ctx *cli.Context) error { crtFile, keyFile := args.Get(1), args.Get(2) tok := ctx.String("token") + tokenFile := ctx.String("token-file") offline := ctx.Bool("offline") sans := ctx.StringSlice("san") switch { + case tok != "" && tokenFile != "": + return errs.IncompatibleFlagWithFlag(ctx, "token", "token-file") case offline && tok != "": - // offline and token are incompatible because the token is generated before - // the start of the offline CA. return errs.IncompatibleFlagWithFlag(ctx, "offline", "token") + case offline && tokenFile != "": + return errs.IncompatibleFlagWithFlag(ctx, "offline", "token-file") case ctx.String("attestation-uri") != "" && ctx.String("kms") != "": // attestation-uri and kms are incompatible because the ACME-DA flow // expects all necessary parameters in the attestation-uri, and having @@ -247,6 +255,14 @@ func certificateAction(ctx *cli.Context) error { return errs.IncompatibleFlagWithFlag(ctx, "attestation-uri", "kms") } + if tokenFile != "" { + b, err := utils.ReadFile(tokenFile) + if err != nil { + return err + } + tok = strings.TrimSpace(string(b)) + } + // certificate flow unifies online and offline flows on a single api flow, err := cautils.NewCertificateFlow(ctx) if err != nil { From 37ee56cb3d96d247ed1a93fb14c65b1bca642afc Mon Sep 17 00:00:00 2001 From: Omkar Gajare Date: Tue, 12 May 2026 00:18:10 +0530 Subject: [PATCH 2/2] documentation fix for --token-file not being clearly stated as mutally exclusive Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- command/ca/certificate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command/ca/certificate.go b/command/ca/certificate.go index 47a92b7fe..6cff12932 100644 --- a/command/ca/certificate.go +++ b/command/ca/certificate.go @@ -185,7 +185,7 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`, }, cli.StringFlag{ Name: "token-file", - Usage: "The path to a containing the one time token.", + Usage: "The path to a containing the one time token. Mutually exclusive with '--token' and '--offline'; for JWK tokens it is effectively incompatible with '--san' because SANs are taken from the token.", }, flags.TemplateSet, flags.TemplateSetFile,