Ability to issue certificates proxied from a public CA?

[rhysperry111]

It would be cool if step-ca were able to act as a proxy for certificate requests from public CAs.

E.g. if server requests certificate for service.example.com, step-ca proxies the request to letsencrypt and hands back the response.

This has the benefit of allowing issuance of globally-trusted certificates to servers which you might not necessarily want to have access to the internet or you don't want to give them the required privileges for answering ACME challenges (e.g. full DNS control).

Is this a feature that might be worth adding to step-ca, or is it likely best served somewhere else?

[tashian]

Great question!
We have a registration authority mode, but that wouldn't work for what you're wanting to do.
So, at the moment this is beyond the scope of step-ca, which is really focused on internal PKI.