Support installing a root cert via URL with step certificate install

[jdoss]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Add support for step certificate install to pull a root from a URL and check its fingerprint.

Example:

step certificate install https://mycool-stepca.example.biz/roots.pem --fingerprint 48:62:CD:B0:B1:E8:A8:45:45:97:62:E2:2F:CB:E8:1C:B5:C0:BC:85

Also consider adding a --insecure flag to the URL support to bypass checking the fingerprint.

Why is this needed?

step certificate inspect https://smallstep.com works on URLs and adding this feature will allow operators to trust their PKI in an automated way. For example with a systemd unit:

[Unit]
Description=Trust MyCool root
After=network-online.target
Wants=network-online.target
ConditionPathExists=!/var/lib/pki-trust-mycool-root.stamp
ConditionPathExists=/usr/local/bin/step

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart="step certificate install https://mycool-stepca.example.biz/roots.pem --fingerprint 48:62:CD:B0:B1:E8:A8:45:45:97:62:E2:2F:CB:E8:1C:B5:C0:BC:85"
ExecStartPost=/bin/touch /var/lib/pki-trust-mycool-root.stamp

[Install]
WantedBy=default.target

[hslatman]

Fingerprint using SHA256. Consider supporting other formats, but only with explicit format specified.

https://github.com/orgs/smallstep/projects/94/views/1?pane=issue&itemId=63393140