Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux

Channel:

i12bretro

Subscribers:

14,400

Published on August 8, 2022 9:00:03 AM ● Video Link: https://www.youtube.com/watch?v=4ET20bCsTX0

Duration: 4:06

2,134 views

40

#ACME #LetsEncrypt #SSL #StepCA

Full steps can be found at https://i12bretro.github.io/tutorials/0746.html

What is Step-CA?
[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. - https://github.com/smallstep/certificates
 
Installing Step-CA and Step-CLI
   01. Log into the Linux device
   02. Run the following commands in a terminal
         # update software repositories
         sudo apt update
         # install available software updates
         sudo apt upgrade -y
         # clean up downloaded apt files
         sudo apt clean
         # lookup latest steps-ca release URL
         regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/certificates\/releases\/download\/[^/]*\/step-ca_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/certificates/releases/latest) && [[ $response =~ $regex ]] && downloadURL="${BASH_REMATCH[1]}"
         # download steps-ca server
         wget -O ./steps-ca.deb $downloadURL
         # install steps-ca server
         sudo dpkg -i ./steps-ca.deb
         # lookup latest steps-cli release URL
         regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) && [[ $response =~ $regex ]] && downloadURL="${BASH_REMATCH[1]}"
         # download steps-cli client
         wget -O ./steps-cli.deb $downloadURL
         # install steps-cli client
         sudo dpkg -i ./steps-cli.deb
         # create the /etc/step-ca directory
         sudo mkdir /etc/step-ca
         # elevate to root user
         sudo su
         # set the step-ca path
         export STEPPATH=/etc/step-ca
 
Initialize A New Certificate Authority
   01. Continue with the following commands in a terminal
         # initilize a CA
         step ca init
   02. Select standalone ≫ press Enter
   03. Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] ≫ Press Enter
   04. Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] ≫ Press Enter
   05. Enter the port for Step-CA to listen on [ie :8443] ≫ Press Enter
   06. Enter a first provisioner e-mail address [ie i12bretro@i12bretro.local] ≫ Press Enter
   07. Enter a password for the CA or leave it blank to have a password generated ≫ Press Enter
 
Installing Step-CA Service/Daemon
   01. Continue with the following commands in a terminal
         # add ACME provisioner
         step ca provisioner add acme --type ACME
         # exit root shell
         exit
         # create password.txt, replace with the CA password
         echo '$YourCAPassword!!' | sudo tee -a /etc/step-ca/password.txt ≫ /dev/null
         # create step-ca user
         sudo useradd --system --home /etc/step-ca --shell /bin/false step-ca
         # set ownership of /etc/step-ca
         sudo chown step-ca:step-ca /etc/step-ca -R
         # limit permissions on the password.txt file
         sudo chmod 400 /etc/step-ca/password.txt
         # create step-ca log directory
         sudo mkdir /var/log/step-ca -p
         # set ownership of step-ca logs
         sudo chown step-ca:step-ca /var/log/step-ca -R
         # edit the ca configuration
         sudo nano /etc/step-ca/config/ca.json
   02. By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed
         "claims": {
         "maxTLSCertDuration":"26280h",
         "defaultTLSCertDuration":"8760h"
         },
   03. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
   04. Continue with the following commands in a terminal
         # create service file
         sudo nano /etc/systemd/system/step-ca.service
   05. Paste the following configuration into step-ca.service
         [Unit]
         Description=step-ca service
         After=network.target
         StartLimitIntervalSec=0
         [Service]
         Type=simple
         Restart=always
         RestartSec=1
         User=step-ca
         Group=step-ca
         Environment=STEPPATH=/etc/step-ca
         ExecStart=/bin/sh -c "/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt ≫≫ /var/log/step-ca/step-ca.log 2≫&1"
         [Install]
         WantedBy=multi-user.target
   06. Press CTRL+O, Enter, CTRL+X to write the changes and close nano


....Full steps can be found on GitHub [link at the top]


### Connect with me and others ###
★ Discord: https://discord.com/invite/EzenvmSHW8
★ Reddit: https://reddit.com/r/i12bretro
★ Twitter: https://twitter.com/i12bretro