step_ca
Table of Contents
Step CA Docker
Introduction
Create own Certificate Authority with Step CA Docker image
Installation
Create directories to put docker files
mkdir -p /opt/step-ca/data chown 1000:1000 /opt/step-ca/data chmod 700 /opt/step-ca/data
Initial config
docker run -it -v /opt/step-ca/data:/home/step smallstep/step-ca step ca init --acme
Create password file
docker run -it -v /opt/step-ca/data:/home/step smallstep/step-ca bash echo -n "password" > secrets/password chmod 600 secrets/password
Alter configfile
- /opt/step-ca/data/config/ca.json
. . "authority": { "provisioners": [ { . . "encryptedKey": "<secret key already set by init>", "claims": { "minTLSCertDuration": "8760h0m0s", "maxTLSCertDuration": "17520h0m0s", "defaultTLSCertDuration": "8760h0m0s", "enableSSHCA": false, "disableRenewal": false, "allowRenewalAfterExpiry": false }, "options": { "x509": {}, "ssh": {} } }, { "type": "ACME", "name": "heitmann", "claims": { "maxTLSCertDuration": "2160h0m0s", "defaultTLSCertDuration": "2160h0m0s", "enableSSHCA": true, "disableRenewal": false, "allowRenewalAfterExpiry": false }, "options": { "x509": {}, "ssh": {} } } ], . .
Compose file
- docker-compose.yml
version: '3.2' services: step-ca: image: smallstep/step-ca container_name: step-ca hostname: step-ca restart: unless-stopped ports: - "172.16.1.60:9000:9000" - "172.16.1.60:9001:9001" volumes: - ./data:/home/step networks: - dmz healthcheck: test: [ "CMD", "curl", "-k", "https://172.16.1.60:9000/health" ] timeout: 30s interval: 10s retries: 6 networks: dmz: external: true
Manual certificate creation
docker exec -ti step-ca bash step certificate create nas.mgmt.internal certs/nas.mgmt.internal.crt secrets/nas.mgmt.internal.key --kty=RSA --no-password --insecure --ca=certs/intermediate_ca.crt --ca-key=secrets/intermediate_ca_key --san=nas.mgmt.internal --san=nas.local.internal --san=172.16.3.10 --san=172.16.2.10
step_ca.txt · Last modified: by herwarth
