https://github.com/smallstep/certificates
wget https://dl.step.sm/gh-release/cli/docs-ca-install/v0.18.2/step-cli_0.18.2_amd64.deb
sudo dpkg -i step-cli_0.18.2_amd64.deb
or
wget -O step.tar.gz https://dl.step.sm/gh-release/cli/docs-ca-install/v0.18.2/step_linux_0.18.2_amd64.tar.gz
tar -xf step.tar.gz
sudo cp step_0.18.2/bin/step /usr/bin
wget https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.18.2/step-ca_0.18.2_amd64.deb
sudo dpkg -i step-ca_0.18.2_amd64.deb
Or
wget -O step-ca.tar.gz https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.18.2/step-ca_linux_0.18.2_amd64.tar.gz
tar -xf step-ca.tar.gz
sudo cp step-ca_0.18.2/bin/step-ca /usr/bin
https://smallstep.com/docs/step-ca/getting-started
$ step ca init
✔ Deployment Type: Standalone
What would you like to name your new PKI?
✔ (e.g. Smallstep): Example Inc.█
What DNS names or IP addresses would you like to add to your new CA?
✔ (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost
What IP and port will your new CA bind to?
✔ (e.g. :443 or 127.0.0.1:443): 127.0.0.1:8443
What would you like to name the CA's first provisioner?
✔ (e.g. [email protected]): [email protected]
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]: abc123
Generating root certificate... done!
Generating intermediate certificate... done!
✔ Root certificate: /home/bob/.step/certs/root_ca.crt
✔ Root private key: /home/bob/.step/secrets/root_ca_key
✔ Root fingerprint: 36b696fb9832c4fefa934f8ad92dfebd250390bb116a3dfa56dd37b244e42351
✔ Intermediate certificate: /home/bob/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/bob/.step/secrets/intermediate_ca_key
✔ Database folder: /home/bob/.step/db
✔ Default configuration: /home/bob/.step/config/defaults.json
✔ Certificate Authority configuration: /home/bob/.step/config/ca.json
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
FEEDBACK 😍 🍻
The step utility is not instrumented for usage statistics. It does not phone
home. But your feedback is extremely valuable. Any information you can provide
regarding how you’re using `step` helps. Please send us a sentence or two,
good or bad at [email protected] or join GitHub Discussions
https://github.com/smallstep/certificates/discussions and our Discord
https://u.step.sm/discord.
# Run step CA
$ step-ca $(step path)/config/ca.json
badger 2022/03/18 22:13:24 INFO: All 0 tables opened in 0s
Please enter the password to decrypt /home/bob/.step/secrets/intermediate_ca_key: abc123
2022/03/18 22:13:34 Serving HTTPS on 127.0.0.1:8443 ...
$ step certificate fingerprint $(step path)/certs/root_ca.crt
36b696fb9832c4fefa934f8ad92dfebd250390bb116a3dfa56dd37b244e42351
On (possibly) another machine bootstrap. Only on machine that is not running CA already. Usually done for each participating machine that will use our private CA.
$ step ca bootstrap --ca-url localhost:8443 --fingerprint 36b696fb9832c4fefa934f8ad92dfebd250390bb116a3dfa56dd37b244e42351
⚠️ It looks like step is already configured to connect to an authority.
You can use 'contexts' to easily switch between teams and authorities.
Learn more at https://smallstep.com/docs/step-cli/the-step-command#contexts.
✔ Would you like to overwrite /home/bob/.step/certs/root_ca.crt [y/n]: y
The root certificate has been saved in /home/bob/.step/certs/root_ca.crt.
✔ Would you like to overwrite /home/bob/.step/config/defaults.json [y/n]: y
The authority configuration has been saved in /home/bob/.step/config/defaults.json.
The step command will now trust your CA.
So your certificates will be trusted by curl and other programs. This can be done on another machine. On each participating machine.
$ step certificate install $(step path)/certs/root_ca.crt
On any participating machine capable of talking to CA we can use CA to create certificates.
$ step ca certificate localhost srv.crt srv.key
✔ Provisioner: [email protected] (JWK) [kid: JhF08PmY4z3QWCVvtMiAIN_CJvmdMpIkpTcVQOzDJe0]
Please enter the password to decrypt the provisioner key: abc123
✔ CA: https://localhost:8443
✔ Certificate: srv.crt
✔ Private Key: srv.key
go run testcert/main.go &
$ curl https://localhost:9443/hi
Hello, world!
Because the root_ca.crt is installed as system-wide trust of CA already.
If this was not the case, you have to get root certificate and pass to the client.
To get the root certificate from CA the step CA should be running.
$ step-ca $(step path)/config/ca.json
$ step ca root root.crt
$ curl --cacert root.crt https://localhost:9443/hi
Hello, world!
https://smallstep.com/practical-zero-trust/go-grpc-tls
step ca certificate localhost srv.crt srv.key
go run server/main.go
The grpc server is at 5443 and HTTPS server is 5444.
grpcurl -d '{"name": "bob"}' localhost:5443 helloworld.Greeter.SayHello
If root.crt is installed system-wide it should work.
If there is an issue use -cacert ca.crt.
curl -X POST -k https://localhost:5444/v1/example/echo -d '{"name": " hello"}'
If root.crt is installed system-wide it should work.
If there is an issue use -cacert ca.crt.
https://smallstep.com/docs/step-cli/basic-crypto-operations/#create-and-work-with-x509-certificates
step certificate create --profile root-ca "Example Root CA" root_ca.crt root_ca.key
step certificate create "Example Intermediate CA 1" intermediate_ca.crt intermediate_ca.key --profile intermediate-ca --ca ./root_ca.crt --ca-key ./root_ca.key
step certificate create example.com example.com.crt example.com.key --profile leaf --not-after=8760h --ca ./intermediate_ca.crt --ca-key ./intermediate_ca.key --bundle
step certificate verify example.com.crt --roots root_ca.crt
step certificate install root_ca.crt
step certificate inspect example.com.crt --short
step certificate inspect example.com.crt --format json | jq -r .validity.end
step certificate inspect https://smallstep.com --format json | jq -r .validity.end
step ca certificate example.com example.com.crt example.com.key --acme https://acme-v02.api.letsencrypt.org/directory
Run step CA using the docker image smallstep/step-ca
$ make dockerrunca
Get fingerprint
$ CA_FINGERPRINT=$(docker exec step-ca step certificate fingerprint certs/root_ca.crt)
$ echo $CA_FINGERPRINT
6a79e7ed2361f71f9f3a49ccd09ec52fe3c90a8ba94958daf2020b484cc1866c
Or
$ CA_FINGERPRINT=$(docker exec step-ca step certificate fingerprint certs/root_ca.crt)
$ echo $CA_FINGERPRINT
6a79e7ed2361f71f9f3a49ccd09ec52fe3c90a8ba94958daf2020b484cc1866c
Build the grpc-step-hello
docker image.
make dockerbuild
This image will have compiled helloworld
gRPC server code and step-cli
and step-certificates
installed.
Run the grpc-step-hello
docker image.
make dockerrunhello