add step ca guide
This commit is contained in:
rskntroot
97
mkdocs/docs/projects/step_ca.md
Normal file
97
mkdocs/docs/projects/step_ca.md
Normal file
@@ -0,0 +1,97 @@
|
|||||||
|
# Step CA
|
||||||
|
|
||||||
|
An internal CA and ACME Provider.
|
||||||
|
|
||||||
|
## Brief
|
||||||
|
|
||||||
|
Step can do more, but lets configure the basics.
|
||||||
|
|
||||||
|
## Install
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
sudo -i
|
||||||
|
```
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates
|
||||||
|
curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
|
||||||
|
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
|
||||||
|
| tee /etc/apt/sources.list.d/smallstep.list
|
||||||
|
apt-get update && apt-get -y install step-cli step-ca
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "For more install instructions see smallstep [installation guide](https://smallstep.com/docs/step-ca/installation/)."
|
||||||
|
|
||||||
|
## Config Setup
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
echo 'some-password' > secret
|
||||||
|
```
|
||||||
|
|
||||||
|
=== Config
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
step ca init \
|
||||||
|
--deployment-type standalone \
|
||||||
|
--name ${CA_NAME} \
|
||||||
|
--dns=${CA_DNS_NAMES} \
|
||||||
|
--address 0.0.0.0:5001 \
|
||||||
|
--provisioner ${CA_EMAIL} \
|
||||||
|
--password-file ./secret
|
||||||
|
```
|
||||||
|
|
||||||
|
=== Example
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
step ca init \
|
||||||
|
--deployment-type standalone \
|
||||||
|
--name rskio \
|
||||||
|
--dns=rskio.com,rskntr.com \
|
||||||
|
--address 0.0.0.0:5001 \
|
||||||
|
--provisioner dev@rskio.com \
|
||||||
|
--password-file ./secret
|
||||||
|
```
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
step ca provisioner add dev --type ACME
|
||||||
|
```
|
||||||
|
|
||||||
|
## Service
|
||||||
|
|
||||||
|
## Certificates
|
||||||
|
|
||||||
|
### Trust
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
cat ~/.step/certs/root_ca.crt
|
||||||
|
cat ~/.step/certs/intermediate_ca.crt
|
||||||
|
```
|
||||||
|
|
||||||
|
save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing
|
||||||
|
|
||||||
|
### ClusterIssuer
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
cat .step/certs/root_ca.crt | base64 -w0
|
||||||
|
```
|
||||||
|
|
||||||
|
use output in the spec.
|
||||||
|
|
||||||
|
``` yaml
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: dev-step-issuer
|
||||||
|
spec:
|
||||||
|
acme:
|
||||||
|
email: ${SOME_EMAIL}
|
||||||
|
server: https://${CA_DOMAIN}/acme/dev/directory
|
||||||
|
privateKeySecretRef:
|
||||||
|
name: dev-step-issuer-account-key
|
||||||
|
caBundle: ${CA_ROOT_PEM}
|
||||||
|
solvers:
|
||||||
|
- selector: {}
|
||||||
|
http01:
|
||||||
|
ingress:
|
||||||
|
class: traefik
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user