add step ca guide
This commit is contained in:
rskntroot
97
mkdocs/docs/projects/step_ca.md
Normal file
97
mkdocs/docs/projects/step_ca.md
Normal file
@@ -0,0 +1,97 @@
|
||||
# Step CA
|
||||
|
||||
An internal CA and ACME Provider.
|
||||
|
||||
## Brief
|
||||
|
||||
Step can do more, but lets configure the basics.
|
||||
|
||||
## Install
|
||||
|
||||
``` bash
|
||||
sudo -i
|
||||
```
|
||||
|
||||
``` bash
|
||||
apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates
|
||||
curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
|
||||
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
|
||||
| tee /etc/apt/sources.list.d/smallstep.list
|
||||
apt-get update && apt-get -y install step-cli step-ca
|
||||
```
|
||||
|
||||
!!! note "For more install instructions see smallstep [installation guide](https://smallstep.com/docs/step-ca/installation/)."
|
||||
|
||||
## Config Setup
|
||||
|
||||
``` bash
|
||||
echo 'some-password' > secret
|
||||
```
|
||||
|
||||
=== Config
|
||||
|
||||
``` bash
|
||||
step ca init \
|
||||
--deployment-type standalone \
|
||||
--name ${CA_NAME} \
|
||||
--dns=${CA_DNS_NAMES} \
|
||||
--address 0.0.0.0:5001 \
|
||||
--provisioner ${CA_EMAIL} \
|
||||
--password-file ./secret
|
||||
```
|
||||
|
||||
=== Example
|
||||
|
||||
``` bash
|
||||
step ca init \
|
||||
--deployment-type standalone \
|
||||
--name rskio \
|
||||
--dns=rskio.com,rskntr.com \
|
||||
--address 0.0.0.0:5001 \
|
||||
--provisioner dev@rskio.com \
|
||||
--password-file ./secret
|
||||
```
|
||||
|
||||
``` bash
|
||||
step ca provisioner add dev --type ACME
|
||||
```
|
||||
|
||||
## Service
|
||||
|
||||
## Certificates
|
||||
|
||||
### Trust
|
||||
|
||||
``` bash
|
||||
cat ~/.step/certs/root_ca.crt
|
||||
cat ~/.step/certs/intermediate_ca.crt
|
||||
```
|
||||
|
||||
save and install the files into the trusted certificates on your endpoint and enable trust for ssl signing
|
||||
|
||||
### ClusterIssuer
|
||||
|
||||
``` bash
|
||||
cat .step/certs/root_ca.crt | base64 -w0
|
||||
```
|
||||
|
||||
use output in the spec.
|
||||
|
||||
``` yaml
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: dev-step-issuer
|
||||
spec:
|
||||
acme:
|
||||
email: ${SOME_EMAIL}
|
||||
server: https://${CA_DOMAIN}/acme/dev/directory
|
||||
privateKeySecretRef:
|
||||
name: dev-step-issuer-account-key
|
||||
caBundle: ${CA_ROOT_PEM}
|
||||
solvers:
|
||||
- selector: {}
|
||||
http01:
|
||||
ingress:
|
||||
class: traefik
|
||||
```
|
||||
Reference in New Issue
Block a user