User Tools

Site Tools

Trace: vmware_enable_esxcli_shell
step_ca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
step_ca [2025/08/03 08:33] – created herwarthstep_ca [2025/08/03 10:26] (current) – [Manual certificate creation] herwarth
Line 1: Line 1:
-====== Step CA ======+======Step CA Docker====== 
 +=====Introduction===== 
 +Create own Certificate Authority with Step CA Docker image 
 +=====Installation===== 
 +Create directories to put docker files 
 +<code> 
 +mkdir -p /opt/step-ca/data 
 +chown 1000:1000 /opt/step-ca/data 
 +chmod 700 /opt/step-ca/data 
 +</code> 
 + 
 +====Initial config==== 
 +   docker run -it -v /opt/step-ca/data:/home/step smallstep/step-ca step ca init --acme 
 +====Create password file==== 
 +<code> 
 +docker run -it -v /opt/step-ca/data:/home/step smallstep/step-ca bash 
 +echo -n "password" > secrets/password 
 +chmod 600 secrets/password 
 +</code> 
 + 
 +====Alter configfile==== 
 +<code - /opt/step-ca/data/config/ca.json> 
 +
 +
 +"authority":
 +  "provisioners":
 +      { 
 +
 +
 +        "encryptedKey": "<secret key already set by init>", 
 +         "claims":
 +           "minTLSCertDuration": "8760h0m0s", 
 +           "maxTLSCertDuration": "17520h0m0s", 
 +           "defaultTLSCertDuration": "8760h0m0s", 
 +           "enableSSHCA": false, 
 +           "disableRenewal": false, 
 +           "allowRenewalAfterExpiry": false 
 +         }, 
 +         "options":
 +           "x509": {}, 
 +           "ssh": {} 
 +         } 
 +       }, 
 +       { 
 +         "type": "ACME", 
 +         "name": "heitmann", 
 +         "claims":
 +           "maxTLSCertDuration": "2160h0m0s", 
 +           "defaultTLSCertDuration": "2160h0m0s", 
 +           "enableSSHCA": true, 
 +           "disableRenewal": false, 
 +           "allowRenewalAfterExpiry": false 
 +         }, 
 +         "options":
 +           "x509": {}, 
 +           "ssh": {} 
 +         } 
 +      } 
 +   ], 
 +.    
 +
 +</code> 
 + 
 +====Compose file==== 
 +<code - docker-compose.yml> 
 +version: '3.2' 
 +services: 
 +  step-ca: 
 +    image: smallstep/step-ca 
 +    container_name: step-ca 
 +    hostname: step-ca 
 +    restart: unless-stopped 
 +    ports: 
 +      - "172.16.1.60:9000:9000" 
 +      - "172.16.1.60:9001:9001" 
 +    volumes: 
 +      - ./data:/home/step 
 +    networks: 
 +      - dmz 
 +    healthcheck: 
 +      test: [ "CMD", "curl", "-k", "https://172.16.1.60:9000/health"
 +      timeout: 30s 
 +      interval: 10s 
 +      retries: 6 
 + 
 +networks: 
 +  dmz: 
 +    external: true 
 +</code> 
 + 
 +====Manual certificate creation==== 
 + 
 +<code> 
 +docker exec -ti step-ca bash 
 +step certificate create nas.mgmt.internal certs/nas.mgmt.internal.crt secrets/nas.mgmt.internal.key --kty=RSA --no-password --insecure --ca=certs/intermediate_ca.crt --ca-key=secrets/intermediate_ca_key --san=nas.mgmt.internal --san=nas.local.internal --san=172.16.3.10 --san=172.16.2.10 
 +</code> 
 + 
 {{tag>linux}} {{tag>linux}}
  
step_ca.1754209985.txt.gz · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki