wget https://dl.step.sm/gh-release/cli/docs-ca-install/v0.17.5/step-cli_0.17.5_amd64.deb
sudo dpkg -i step-cli_0.17.5_amd64.deb
wget https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.17.4/step-ca_0.17.4_amd64.deb
sudo dpkg -i step-ca_0.17.4_amd64.deb
cat <<EOF > /etc/hostname
$(hostname -s).local
EOF
hostname $(hostname -f).local
step ca init
Above command will ask some question answer carefully.
✔ What would you like to name your new PKI? (e.g. Smallstep): <Hostname/ anything which you like>
✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): <hostname>
✔ What address will your new CA listen at? (e.g. :443): <IPAddress>:443
✔ What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): <email address>
✔ What do you want your password to be? [leave empty and we will generate one]: <password>
Generating root certificate...
all done!
Generating intermediate certificate...
all done!
✔ Root certificate: /Users/bob/.step/certs/root_ca.crt
✔ Root private key: /Users/bob/.step/secrets/root_ca_key
✔ Root fingerprint: 702a094e239c9eec6f0dcd0a5f65e595bf7ed6614012825c5fe3d1ae1b2fd6ee
✔ Intermediate certificate: /Users/bob/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /Users/bob/.step/secrets/intermediate_ca_key
✔ Default configuration: /Users/bob/.step/config/defaults.json
✔ Certificate Authority configuration: /Users/bob/.step/config/ca.json
Your PKI is ready to go.
step certificate fingerprint $(step path)/certs/root_ca.crt
step-ca $(step path)/config/ca.json
cat <<EOF > /etc/hostname
$(hostname -s).local
EOF
hostname $(hostname -f).local
echo "<camanager ip address> camanager.local" >> /etc/hosts
step ca bootstrap --ca-url https://camanager.local --fingerprint <fingerprint>
step certificate install $(step path)/certs/root_ca.crt
step ca health --ca-url https://camanager.local --root $(step path)/certs/root_ca.crt
TOKEN=$(step ca token $(hostname) --ca-url https://camanager.local)
e.g. TOKEN=$(step ca token employee.local --ca-url https://camanager.local)
step ca certificate $(hostname) server.crt server.key --token $TOKEN --ca-url https://camanager.local --root $(step path)/certs/root_ca.crt --not-after "$(date --date "next year" -Iseconds)"
employee.local must match with <DNS name> with $TOKEN
step ca root root_ca.crt \
--ca-url https://camanager.local \
--fingerprint <fingerprint>
step certificate install $(step path)/certs/root_ca.crt
Upload .crt to browser $(step path)/certs/root_ca.crt
echo "<ip address> <service hostname>" >> /etc/hosts
e.g. echo "192.168.1.10 employee.local" >> /etc/hosts
https://smallstep.com/docs/step-cli/reference/ca
https://smallstep.com/docs/step-ca
https://smallstep.com/docs/step-ca/certificate-authority-core-concepts
https://smallstep.com/docs/step-ca/getting-started