Smallstep Guide

1. Initialization

Only run this once for the initial install.

  1. Get the latest version of step-ca

    docker pull smallstep/step-ca

  2. Bring up PKI bootstrapping container The Docker volume step will hold your CA configuration, keys, and database.

    docker run -it -v step:/home/step smallstep/step-ca step ca init --remote-management
    Expand for sample session
    Sample session
    ✔ Deployment Type: Standalone
What would you like to name your new PKI?
✔ (e.g. Smallstep): My-CA
What DNS names or IP addresses will clients use to reach your CA?
✔ (e.g. ca.example.com[,10.1.2.3,etc.]): 192.168.1.2,p-ubuntu-norco
What IP and port will your new CA bind to? (:443 will bind to 0.0.0.0:443)
✔ (e.g. :443 or 127.0.0.1:443): :9002
What would you like to name the CA's first provisioner?
✔ (e.g. you@smallstep.com): mattosd@xackleystudio.com
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]:

Generating root certificate... done!
Generating intermediate certificate... done!
✔ Would you like to overwrite /home/step/certs/intermediate_ca.crt [y/n]: y
✔ Would you like to overwrite /home/step/certs/root_ca.crt [y/n]: y
✔ Would you like to overwrite /home/step/secrets/root_ca_key [y/n]: y

✔ Root certificate: /home/step/certs/root_ca.crt
✔ Root private key: /home/step/secrets/root_ca_key
✔ Root fingerprint: 338d03ffdbaf4c6370e597a1230af80d6dbff0e20abcdbe6e65dbe7ea5afdd0a
✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/step/secrets/intermediate_ca_key
badger 2024/09/01 14:14:37 INFO: All 0 tables opened in 0s
badger 2024/09/01 14:14:37 INFO: Storing value log head: {Fid:0 Len:30 Offset:2949}
badger 2024/09/01 14:14:37 INFO: [Compactor: 173] Running compaction: {level:0 score:1.73 dropPrefixes:[]} for level: 0
badger 2024/09/01 14:14:37 INFO: LOG Compact 0->1, del 1 tables, add 1 tables, took 2.071696ms
badger 2024/09/01 14:14:37 INFO: [Compactor: 173] Compaction for level: 0 DONE
badger 2024/09/01 14:14:37 INFO: Force compaction on level 0 done
✔ Would you like to overwrite /home/step/config/ca.json [y/n]: y
✔ Would you like to overwrite /home/step/config/defaults.json [y/n]: y
✔ Database folder: /home/step/db
✔ Default configuration: /home/step/config/defaults.json
✔ Certificate Authority configuration: /home/step/config/ca.json
✔ Admin provisioner: mattosd@xackleystudio.com (JWK)
✔ Super admin subject: step

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

  3. Create folder

    1. Create the CA folder

      mkdir ./CA

    2. Set perms

      sudo chmod -R 777 ./CA

  4. Now you can start the container using the compose.yml file

    sudo docker-compose up -d

  5. Get the administrative user and password

    You’ll need this for admin purposes.
    You’ll only see this once following the initial init!

    1. Get the log

      sudo docker logs -f My-CA

    2. Look for this in the log:

      👉 Your CA administrative username is: step (1)
👉 Your CA administrative password is: 8Q3xS76u1xm1abcdiAlHA11234NVHlOZsdW3pJuXz (2)
🤫 This will only be displayed once.        (3)
      1 username
      2 Record this somewhere
      3 NOTE - DISPLAYED ONLY ONCE!

2. Configure for ACME

ACME = Automated Certificate Management Environment
Original documentation is here

  1. Start a docker exec command

    sudo docker exec -it My-CA bash

  2. Run

    step ca provisioner add acme --type ACME
    Example
    fa300a15fb88:~$ step ca provisioner add acme --type ACME
No admin credentials found. You must login to execute admin commands.
✔ Please enter admin name/subject (e.g., name@example.com): step
✔ Provisioner: admin (JWK) [kid: B0W9GrT74YGsAvgjnbcm3wmtT58lu_uMeBzXRZ_9YOg]
Please enter the password to decrypt the provisioner key: