Difference between "step ca roots" and "step ca federation"?

[rwv37]

The docs say that "step ca roots downloads a certificate bundle with all the root certificates" and that "step ca federation downloads a certificate bundle with all the root certificates in the federation".

I have read the tutorial "Federate PKI trust models between multiple autonomous certificate authorities", and I think I understand what a "federation" is. But what are "all the root certificates" (as in step ca roots), as opposed to "all the root certificates in the federation" (as in step ca federation)? Are they the same thing? If not, how do they differ, and when would one want to use one as opposed to the other?

Thanks in advance.

[hslatman]

The difference is in which sets of certificates are returned. The roots and federation correspond to values in ca.json:

{
  "root": "examples/pki/secrets/root_ca.crt",
  "federatedRoots": ["examples/pki/secrets/federated_root_ca.crt"],
   ...
}

Both can contain multiple files. root is generally the CA root certificate, but there can be multiple, for example when the root is going to be rotated, and clients need to have access to both the old and new root. Federated roots are intended to be used for federation use cases, i.e. to establish trust between two separate CA instances.

Full example: https://smallstep.com/docs/step-ca/configuration/#example-configuration

[rwv37]

Thanks. That's what I was guessing, but I wasn't sure because I didn't (and still don't) see any real difference between putting a certificate in one versus the other. Is it just convention that one is supposed to be certificates from the CA being configured while the other is for certificates from other CAs?

[hslatman]

@rwv37 I agree that look very similar, and I can imagine putting the "other CAs to be federated" under the roots might work for some use cases, so I think it's mainly to explicitly designate they're used for the specific purpose of federation. The roots that are configured are used in several places in the CA (e.g. for bootstrapping trust, used as trusted client CA certificate, etc), whereas the certificates configured as federated are used only to be able to distribute them to clients and servers in need of those trust bundles (in addition to the single root CA they would usually need). The release blog post explains it with an example of a web server that adds the federated roots as trusted client root CAs, so clients from a different trust domain can access the server.