Skip to content

Deprecate Linked CA functionality#2554

Open
tashian wants to merge 4 commits intomasterfrom
deprecate-linked-ca
Open

Deprecate Linked CA functionality#2554
tashian wants to merge 4 commits intomasterfrom
deprecate-linked-ca

Conversation

@tashian
Copy link
Contributor

@tashian tashian commented Jan 29, 2026
edited
Loading

Summary

  • Add deprecation warnings when Linked CA features are used
  • Add step-ca export --token flag to export from linked CAs
  • Add step-ca import command to import provisioners and admins into standalone CA
  • Existing Linked CAs continue to work but show warnings

Changes

Deprecation Warnings

  • authority/authority.go: Warning when linkedCAToken is initialized
  • commands/app.go: Warning when --token flag is used at startup
  • CHANGELOG.md: Added deprecation notice

Migration Tools

  • commands/export.go: Add --token flag to fetch provisioners/admins from linked CA cloud storage
  • commands/import.go: New command to import provisioners and admins from export file into standalone CA database
    • Automatic ID remapping for provisioners and admins
    • Duplicate detection (skips existing provisioners by name, admins by subject)
    • --dry-run flag to preview changes without modifying the database

Migration Workflow

# 1. Export from linked CA (while CA is running)
step-ca export $(step path)/config/ca.json --token $STEP_CA_TOKEN > export.json

# 2. Stop the CA

# 3. Update ca.json:
#    - Remove the authority.linkedca section
#    - Ensure authority.enableAdmin: true
#    - Ensure db is configured

# 4. Import provisioners and admins
step-ca import $(step path)/config/ca.json export.json

# 5. Start the CA without --token
step-ca $(step path)/config/ca.json

Behavior Summary

Scenario Before After
step ca init --deployment-type=linked Creates linked CA Returns error with migration guidance
step-ca --token=xxx (existing) Works silently Works but shows deprecation warning
Interactive step ca init Shows Standalone/Linked/Hosted Shows Standalone/Hosted only
RA mode with linked Allowed Now only standalone is valid for RA

Context

This is phase 1 of removing Linked CA from open-source step-ca. The linked deployment type is moving to Step CA Pro.

  • Release N (this PR): Add deprecation warnings, migration tools, existing linked CAs continue to work
  • Release N+2 or N+3: Remove linked CA code entirely

Related CLI PR: smallstep/cli#1559

Test plan

  • make build passes
  • make test passes (4843 tests)
  • make lint passes (no new issues)
  • Manual test: step-ca --token=xxx shows deprecation warning but continues to work
  • Manual test: step-ca export --token exports linked CA provisioners
  • Manual test: step-ca import imports provisioners into standalone CA

🤖 Generated with Claude Code

@tashian @claude
Deprecate Linked CA functionality in open-source step-ca
6ea19aa 
Add deprecation warnings when Linked CA features are used:
- Warning in authority.go when linkedCAToken is initialized
- Warning in app.go when --token flag is used at startup

Existing Linked CAs continue to work but now show deprecation
warnings directing users to migrate to Step CA Pro.

This is phase 1 of removing Linked CA from open-source step-ca.
A future release will remove the functionality entirely.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian mentioned this pull request Jan 29, 2026
Open
4 tasks
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Jan 29, 2026
tashian added a commit to smallstep/docs that referenced this pull request Jan 29, 2026
@tashian @claude
Clarify linked CA requires Step CA Pro
a3f31f9 
Update documentation to clarify that linked CA functionality is now
available exclusively through Step CA Pro, not open-source step-ca.

Related PRs:
- smallstep/certificates#2554
- smallstep/cli#1559

PRO-331

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian mentioned this pull request Jan 29, 2026
Open
tashian and others added 3 commits January 29, 2026 19:52
@tashian @claude
Add step-ca import command and export --token flag for migrations
f2db501 
Add migration tools to help users move from Linked CA to standalone mode:

- Add --token flag to step-ca export to fetch provisioners and admins
  from linked CA cloud storage before migration
- Add step-ca import command to import provisioners and admins from
  an export file into a standalone CA's admin database

The import command features:
- Automatic ID remapping for provisioners and admins
- Duplicate detection (skips existing provisioners/admins)
- --dry-run flag to preview changes without modifying the database

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian @claude
Remove incorrect note about CA needing to be running during export
8c5287a 
The export command creates its own authority instance from the config
file and does not require a running CA server.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian @claude
Remove migration instructions from import command help
2826547 
The migration steps are documented in the changelog.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian changed the title Deprecate Linked CA functionality in open-source step-ca Deprecate Linked CA functionality Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tashian