Support for `--admin-kms` in `step ca provisioner` subcommands

[tashian]

For CA administrative functions, it would be nice to be able to use a KMS-bound key.

This enables a flow where a YubiKey could be used to admin the CA, using an admin cert acquired via ACME DA.

[andsens]

If I understand your request correctly this is already possible by using an x5c key and certificate as provisioner credentials that point to the yubikey with a kms url.

[hslatman]

I believe what @tashian wants is to be able to use a KMS URI instead of specifying the credentials from disk for administrative operations that require our ca.AdminClient: https://github.com/smallstep/cli/blob/master/utils/cautils/client.go#L99-L197. At the moment it assumes the cert/key are always read from disk.

[andsens]

Oh, in that case I have the exact same issue. Thing is, when using kms backed keys (tpm in my case), step ca token --ssh|--revoke|--rekey work, but step ca token --renew does not. Neither does step ca renew:

Nevermind. I misunderstood the issue. Created a separate one here #1314