Skip to content

Deprecate Linked CA functionality#2554

Open
tashian wants to merge 4 commits intomasterfrom
deprecate-linked-ca
Open

Deprecate Linked CA functionality#2554
tashian wants to merge 4 commits intomasterfrom
deprecate-linked-ca

Conversation

@tashian
Copy link
Contributor

@tashian tashian commented Jan 29, 2026
edited
Loading

Summary

  • Add deprecation warnings when Linked CA features are used
  • Add step-ca export --token flag to export from linked CAs
  • Add step-ca import command to import provisioners and admins into standalone CA
  • Existing Linked CAs and Linked RAs continue to work but show warnings

Changes

Deprecation Warnings

  • authority/authority.go: Warning when linkedCAToken is initialized
  • commands/app.go: Warning when --token flag is used at startup
  • CHANGELOG.md: Added deprecation notice

Migration Tools

  • commands/export.go: Add --token flag to fetch provisioners/admins from linked CA cloud storage
  • commands/import.go: New command to import provisioners and admins from export file into standalone CA database
    • Automatic ID remapping for provisioners and admins
    • Duplicate detection (skips existing provisioners by name, admins by subject)
    • --dry-run flag to preview changes without modifying the database

Migration Workflow

# 1. Export from linked CA (while CA is running)
step-ca export $(step path)/config/ca.json --token $STEP_CA_TOKEN > export.json

# 2. Stop the CA

# 3. Update ca.json:
#    - Remove the authority.linkedca section
#    - Ensure authority.enableAdmin: true
#    - Ensure db is configured

# 4. Import provisioners and admins
step-ca import $(step path)/config/ca.json export.json

# 5. Start the CA without --token
step-ca $(step path)/config/ca.json

Behavior Summary

Scenario Before After
step-ca --token=xxx (existing linked CA) Works silently Works but shows deprecation warning
step-ca --token=xxx (existing linked RA) Works silently Works but shows deprecation warning
step-ca export Exports local config only Can also export linked CA config with --token
step-ca import N/A (new command) Imports provisioners and admins from export file

Note: Changes to step ca init (removing the Linked option from the interactive menu and blocking --deployment-type=linked) are in the related CLI PR.

Context

This is phase 1 of removing Linked CA from open-source step-ca. The linked deployment type is moving to Step CA Pro.

  • Release N (this PR): Add deprecation warnings, migration tools. Existing linked CAs and RAs continue to work.
  • Release N+2 or N+3: Remove linked CA code entirely

Related CLI PR: smallstep/cli#1559

Test plan

  • make build passes
  • make test passes (4843 tests)
  • make lint passes (no new issues)
  • Manual test: step-ca --token=xxx shows deprecation warning but continues to work
  • Manual test: step-ca export --token exports linked CA provisioners
  • Manual test: step-ca import imports provisioners into standalone CA

🤖 Generated with Claude Code

@tashian @claude
Deprecate Linked CA functionality in open-source step-ca
6ea19aa 
Add deprecation warnings when Linked CA features are used:
- Warning in authority.go when linkedCAToken is initialized
- Warning in app.go when --token flag is used at startup

Existing Linked CAs continue to work but now show deprecation
warnings directing users to migrate to Step CA Pro.

This is phase 1 of removing Linked CA from open-source step-ca.
A future release will remove the functionality entirely.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian mentioned this pull request Jan 29, 2026
Open
4 tasks
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Jan 29, 2026
tashian added a commit to smallstep/docs that referenced this pull request Jan 29, 2026
@tashian @claude
Clarify linked CA requires Step CA Pro
a3f31f9 
Update documentation to clarify that linked CA functionality is now
available exclusively through Step CA Pro, not open-source step-ca.

Related PRs:
- smallstep/certificates#2554
- smallstep/cli#1559

PRO-331

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian mentioned this pull request Jan 29, 2026
Open
tashian and others added 3 commits January 29, 2026 19:52
@tashian @claude
Add step-ca import command and export --token flag for migrations
f2db501 
Add migration tools to help users move from Linked CA to standalone mode:

- Add --token flag to step-ca export to fetch provisioners and admins
  from linked CA cloud storage before migration
- Add step-ca import command to import provisioners and admins from
  an export file into a standalone CA's admin database

The import command features:
- Automatic ID remapping for provisioners and admins
- Duplicate detection (skips existing provisioners/admins)
- --dry-run flag to preview changes without modifying the database

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian @claude
Remove incorrect note about CA needing to be running during export
8c5287a 
The export command creates its own authority instance from the config
file and does not require a running CA server.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian @claude
Remove migration instructions from import command help
2826547 
The migration steps are documented in the changelog.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tashian tashian changed the title Deprecate Linked CA functionality in open-source step-ca Deprecate Linked CA functionality Feb 2, 2026
@tashian tashian requested a review from maraino March 6, 2026 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maraino maraino Awaiting requested review from maraino

At least 1 approving review is required to merge this pull request.

Assignees

@maraino maraino

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tashian @maraino