======Step CA Docker======
=====Introduction=====
Create own Certificate Authority with Step CA Docker image
=====Installation=====
Create directories to put docker files
mkdir -p /opt/step-ca/data
chown 1000:1000 /opt/step-ca/data
chmod 700 /opt/step-ca/data
====Initial config====
docker run -it -v /opt/step-ca/data:/home/step smallstep/step-ca step ca init --acme
====Create password file====
docker run -it -v /opt/step-ca/data:/home/step smallstep/step-ca bash
echo -n "password" > secrets/password
chmod 600 secrets/password
====Alter configfile====
.
.
"authority": {
"provisioners": [
{
.
.
"encryptedKey": "",
"claims": {
"minTLSCertDuration": "8760h0m0s",
"maxTLSCertDuration": "17520h0m0s",
"defaultTLSCertDuration": "8760h0m0s",
"enableSSHCA": false,
"disableRenewal": false,
"allowRenewalAfterExpiry": false
},
"options": {
"x509": {},
"ssh": {}
}
},
{
"type": "ACME",
"name": "heitmann",
"claims": {
"maxTLSCertDuration": "2160h0m0s",
"defaultTLSCertDuration": "2160h0m0s",
"enableSSHCA": true,
"disableRenewal": false,
"allowRenewalAfterExpiry": false
},
"options": {
"x509": {},
"ssh": {}
}
}
],
.
.
====Compose file====
version: '3.2'
services:
step-ca:
image: smallstep/step-ca
container_name: step-ca
hostname: step-ca
restart: unless-stopped
ports:
- "172.16.1.60:9000:9000"
- "172.16.1.60:9001:9001"
volumes:
- ./data:/home/step
networks:
- dmz
healthcheck:
test: [ "CMD", "curl", "-k", "https://172.16.1.60:9000/health" ]
timeout: 30s
interval: 10s
retries: 6
networks:
dmz:
external: true
====Manual certificate creation====
docker exec -ti step-ca bash
step certificate create nas.mgmt.internal certs/nas.mgmt.internal.crt secrets/nas.mgmt.internal.key --kty=RSA --no-password --insecure --ca=certs/intermediate_ca.crt --ca-key=secrets/intermediate_ca_key --san=nas.mgmt.internal --san=nas.local.internal --san=172.16.3.10 --san=172.16.2.10
{{tag>linux}}