[Bug]: `step ca renew` does not integrate with `step-kms-plugin`

[andsens]

Steps to Reproduce

step ca renew --force --out /dev/stdout <(step-kms-plugin certificate --kms tpmkms:storage-directory=$HOME/.step/tpm tpmkms:name=key --bundle) tpmkms:name=key

Your Environment

• OS - Ubuntu 24.04
• step CLI Version - Smallstep CLI/0.28.0 (linux/amd64)

Expected Behavior

A new certificate is output to stdout

Actual Behavior

error parsing private key: : no such file or directory

Additional Context

The renew command only works with keys stored in files:

cli/command/ca/renew.go

Lines 646 to 658 in 81a89c1

	x509ChainBytes := make([][]byte, len(x509Chain))
	for i, c := range x509Chain {
	x509ChainBytes[i] = c.Raw
	}
	opts := []pemutil.Options{pemutil.WithFilename(keyFile)}
	if passFile != "" {
	opts = append(opts, pemutil.WithPasswordFile(passFile))
	}
	pk, err := pemutil.Read(keyFile, opts...)
	if err != nil {
	return tls.Certificate{}, errs.Wrap(err, "error parsing private key")
	}

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[andsens]

I built a workaround to this issue by signing a renewal JWT with step-kms-plugin:
https://gist.github.com/andsens/365e81437d47f29fcce861ed11a9114d

[maraino]

Hi @andsens, I've created a PR that adds kms support for step ca renew and step ca rekey.

For renewing a certificate with an RSA key, step-kms-plugin must be upgraded to v0.12.0+.

[andsens]

Awesome! Thank you very much @maraino

[andsens]

Well, it took some time, but I finally got around to removing the workaround from my pipeline and using this instead. Just wanted to note that I can confirm the fix. Works like a charm :-)