smallstep
diff --git a/‎command/ca/provisioner/add.go‎
Lines changed: 14 additions & 3 deletions b/‎command/ca/provisioner/add.go‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎command/ca/provisioner/update.go‎
Lines changed: 12 additions & 1 deletion b/‎command/ca/provisioner/update.go‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎command/certificate/install.go‎
Lines changed: 15 additions & 17 deletions b/‎command/certificate/install.go‎
Lines changed: 15 additions & 17 deletions
diff --git a/‎command/certificate/sign.go‎
Lines changed: 21 additions & 4 deletions b/‎command/certificate/sign.go‎
Lines changed: 21 additions & 4 deletions
@@ -34,6 +34,8 @@ func addCommand() cli.Command {
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 ACME
 
@@ -43,6 +45,7 @@ ACME
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>]
 
 OIDC
 
@@ -53,13 +56,17 @@ OIDC
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 X5C
 
 **step ca provisioner add** <name> **--type**=X5C **--x5c-roots**=<file>
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 SSHPOP
 
@@ -75,14 +82,15 @@ Nebula
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
 
-K8SSA
+K8SSA (Kubernetes Service Account)
 
 **step ca provisioner add** <name> **--type**=K8SSA [**--public-key**=<file>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>]
 
-IID
+IID (AWS/GCP/Azure)
 
 **step ca provisioner add** <name> **--type**=[AWS|Azure|GCP]
 [**--aws-account**=<id>] [**--gcp-service-account**=<name>] [**--gcp-project**=<name>]
@@ -93,6 +101,8 @@ IID
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 SCEP
 
@@ -103,7 +113,8 @@ SCEP
 [**--scep-decrypter-key-uri**=<uri>] [**--scep-decrypter-key-password-file**=<file>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>] [**--admin-subject**=<subject>]
 [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
-[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]`,
+[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>]`,
 		Flags: []cli.Flag{
 			// General provisioner flags
 			typeFlag,
 
@@ -33,6 +33,8 @@ func updateCommand() cli.Command {
 [**--admin-cert**=<file>] [**--admin-key**=<file>] [**--admin-subject**=<subject>]
 [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 ACME
 
@@ -42,6 +44,7 @@ ACME
 [**--attestation-roots**=<file>] [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>]
 
 OIDC
 
@@ -56,20 +59,25 @@ OIDC
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 X5C
 
 **step ca provisioner update** <name> **--x5c-roots**=<file>
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 K8SSA (Kubernetes Service Account)
 
 **step ca provisioner update** <name> [**--public-key**=<file>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>]
 
 IID (AWS/GCP/Azure)
 
@@ -84,6 +92,8 @@ IID (AWS/GCP/Azure)
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>] [**--ssh-template**=<file>]
+[**--ssh-template-data**=<file>]
 
 SCEP
 
@@ -94,7 +104,8 @@ SCEP
 [**--scep-decrypter-key-uri**=<uri>] [**--scep-decrypter-key-password-file**=<file>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>] [**--admin-subject**=<subject>]
 [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
-[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]`,
+[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
+[**--x509-template**=<file>] [**--x509-template-data**=<file>]`,
 		Flags: []cli.Flag{
 			nameFlag,
 			pubKeyFlag,
 
@@ -1,13 +1,15 @@
 package certificate
 
 import (
+	"crypto/x509"
 	"fmt"
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
+
 	"github.com/smallstep/certinfo"
 	"github.com/smallstep/truststore"
-	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/command"
 	"go.step.sm/cli-utils/errs"
 	"go.step.sm/crypto/pemutil"
@@ -159,12 +161,12 @@ func installAction(ctx *cli.Context) error {
 	}
 
 	filename := ctx.Args().Get(0)
-	opts, err := getTruststoreOptions(ctx)
+	cert, opts, err := getTruststoreOptions(ctx)
 	if err != nil {
 		return err
 	}
 
-	if err := truststore.InstallFile(filename, opts...); err != nil {
+	if err := truststore.Install(cert, opts...); err != nil {
 		var truststoreErr *truststore.CmdError
 		if errors.As(err, &truststoreErr) {
 			return errors.Errorf("failed to execute \"%s\" failed with: %s",
@@ -175,10 +177,8 @@ func installAction(ctx *cli.Context) error {
 
 	fmt.Printf("Certificate %s has been installed.\n", filename)
 	// Print certificate info (ignore errors)
-	if cert, err := pemutil.ReadCertificate(filename); err == nil {
-		if s, err := certinfo.CertificateShortText(cert); err == nil {
-			fmt.Print(s)
-		}
+	if s, err := certinfo.CertificateShortText(cert); err == nil {
+		fmt.Print(s)
 	}
 
 	return nil
@@ -190,12 +190,12 @@ func uninstallAction(ctx *cli.Context) error {
 	}
 
 	filename := ctx.Args().Get(0)
-	opts, err := getTruststoreOptions(ctx)
+	cert, opts, err := getTruststoreOptions(ctx)
 	if err != nil {
 		return err
 	}
 
-	if err := truststore.UninstallFile(filename, opts...); err != nil {
+	if err := truststore.Uninstall(cert, opts...); err != nil {
 		var truststoreErr *truststore.CmdError
 		if errors.As(err, &truststoreErr) {
 			return errors.Errorf("failed to execute \"%s\" failed with: %s",
@@ -206,23 +206,21 @@ func uninstallAction(ctx *cli.Context) error {
 
 	fmt.Printf("Certificate %s has been removed.\n", filename)
 	// Print certificate info (ignore errors)
-	if cert, err := pemutil.ReadCertificate(filename); err == nil {
-		if s, err := certinfo.CertificateShortText(cert); err == nil {
-			fmt.Print(s)
-		}
+	if s, err := certinfo.CertificateShortText(cert); err == nil {
+		fmt.Print(s)
 	}
 
 	return nil
 }
 
-func getTruststoreOptions(ctx *cli.Context) ([]truststore.Option, error) {
+func getTruststoreOptions(ctx *cli.Context) (*x509.Certificate, []truststore.Option, error) {
 	cert, err := pemutil.ReadCertificate(ctx.Args().Get(0))
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if !cert.IsCA || cert.CheckSignatureFrom(cert) != nil {
-		return nil, errors.Errorf("certificate %s is not a root CA", ctx.Args().Get(0))
+		return nil, nil, errors.Errorf("certificate %s is not a root CA", ctx.Args().Get(0))
 	}
 
 	prefix := ctx.String("prefix")
@@ -251,5 +249,5 @@ func getTruststoreOptions(ctx *cli.Context) ([]truststore.Option, error) {
 	if ctx.Bool("no-system") {
 		opts = append(opts, truststore.WithNoSystem())
 	}
-	return opts, nil
+	return cert, opts, nil
 }
@@ -37,8 +37,8 @@ func signCommand() cli.Command {
 		Action: cli.ActionFunc(signAction),
 		Usage:  "sign a certificate signing request (CSR)",
 		UsageText: `**step certificate sign** <csr-file> <crt-file> <key-file>
-[**--profile**=<profile>] [**--template**=<file>] 
-[**--set**=<key=value>] [**--set-file**=<file>]
+[**--profile**=<profile>] [**--template**=<file>]
+[**--set**=<key=value>] [**--set-file**=<file>] [**--omit-cn-san**]
 [**--password-file**=<file>] [**--path-len**=<maximum>]
 [**--not-before**=<time|duration>] [**--not-after**=<time|duration>]
 [**--bundle**]`,
@@ -79,6 +79,11 @@ Sign a CSR with custom validity and bundle the new certificate with the issuer:
 $ step certificate sign --bundle --not-before -1m --not-after 16h leaf.csr issuer.crt issuer.key
 '''
 
+Sign a CSR but do not add the Common Name to the SANs extension of the certificate:
+'''
+$ step certificate sign --omit-cn-san leaf.csr issuer.crt issuer.key
+'''
+
 Sign an intermediate ca:
 '''
 $ step certificate sign --profile intermediate-ca intermediate.csr issuer.crt issuer.key
@@ -174,6 +179,14 @@ $ step certificate sign \
 			flags.Template,
 			flags.TemplateSet,
 			flags.TemplateSetFile,
+			cli.BoolFlag{
+				Name: "omit-cn-san",
+				Usage: `Do not add CSR Common Name as SAN extension in resulting certificate.
+By default, the CSR Common Name will be added as a SAN extension only if the CSR
+does not contain any SANs. Note that if the Common Name is already captured as a
+SAN extension in the CSR then it will still appear as a SAN extension in the
+certificate.`,
+			},
 			flags.PasswordFile,
 			cli.StringFlag{
 				Name: "not-before",
@@ -327,7 +340,7 @@ func signAction(ctx *cli.Context) error {
 	}
 
 	// Create certificate template from csr.
-	data := createTemplateData(csr, maxPathLen)
+	data := createTemplateData(csr, maxPathLen, ctx.Bool("omit-cn-san"))
 	data.SetUserData(userData)
 	tpl, err := x509util.NewCertificate(csr, x509util.WithTemplate(template, data))
 	if err != nil {
@@ -424,7 +437,7 @@ func validateIssuer(crt *x509.Certificate, profile string, maxPathLen int) error
 // createTemplateData create a new template data with subject and sans based on
 // the information in the certificate request, and the maxPathLen for
 // intermediate certificates.
-func createTemplateData(cr *x509.CertificateRequest, maxPathLen int) x509util.TemplateData {
+func createTemplateData(cr *x509.CertificateRequest, maxPathLen int, omitCNSAN bool) x509util.TemplateData {
 	var sans []string
 	sans = append(sans, cr.DNSNames...)
 	sans = append(sans, cr.EmailAddresses...)
@@ -435,6 +448,10 @@ func createTemplateData(cr *x509.CertificateRequest, maxPathLen int) x509util.Te
 		sans = append(sans, v.String())
 	}
 
+	if !omitCNSAN && len(sans) == 0 && cr.Subject.CommonName != "" {
+		sans = append(sans, cr.Subject.CommonName)
+	}
+
 	data := x509util.NewTemplateData()
 	data.SetCertificateRequest(cr)
 	data.Set("MaxPathLen", maxPathLen)