Skip to content

Instantly share code, notes, and snippets.

@Snehal1112

Snehal1112/smallstep.md

Last active December 24, 2021 14:05
Show Gist options
  • Save Snehal1112/6377311f741672e11e3318349073d8cd to your computer and use it in GitHub Desktop.
Save Snehal1112/6377311f741672e11e3318349073d8cd to your computer and use it in GitHub Desktop.
Download ZIP
MTLS with smallstep
Raw
smallstep.md

Install step and step-ca

wget https://dl.step.sm/gh-release/cli/docs-ca-install/v0.17.5/step-cli_0.17.5_amd64.deb
sudo dpkg -i step-cli_0.17.5_amd64.deb

wget https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.17.4/step-ca_0.17.4_amd64.deb
sudo dpkg -i step-ca_0.17.4_amd64.deb

Set Hostname

cat <<EOF > /etc/hostname
$(hostname -s).local
EOF

Configure hostname

hostname $(hostname -f).local

Initialize your certificate authority

step ca init

Above command will ask some question answer carefully.

✔ What would you like to name your new PKI? (e.g. Smallstep): <Hostname/ anything which you like>
✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): <hostname>
✔ What address will your new CA listen at? (e.g. :443): <IPAddress>:443 
✔ What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): <email address>
✔ What do you want your password to be? [leave empty and we will generate one]: <password>

Generating root certificate...
all done!

Generating intermediate certificate...
all done!

✔ Root certificate: /Users/bob/.step/certs/root_ca.crt
✔ Root private key: /Users/bob/.step/secrets/root_ca_key
✔ Root fingerprint: 702a094e239c9eec6f0dcd0a5f65e595bf7ed6614012825c5fe3d1ae1b2fd6ee
✔ Intermediate certificate: /Users/bob/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /Users/bob/.step/secrets/intermediate_ca_key
✔ Default configuration: /Users/bob/.step/config/defaults.json
✔ Certificate Authority configuration: /Users/bob/.step/config/ca.json

Your PKI is ready to go.

Find fingerprint

step certificate fingerprint $(step path)/certs/root_ca.crt

Run your certificate authority

step-ca $(step path)/config/ca.json

Remote service

Set hostname

cat <<EOF > /etc/hostname
$(hostname -s).local
EOF

Configure hostname

hostname $(hostname -f).local

Configure hosts file

echo "<camanager ip address> camanager.local" >> /etc/hosts

Accessing your CA remotely

step ca bootstrap --ca-url https://camanager.local --fingerprint <fingerprint>

Install certificate

step certificate install $(step path)/certs/root_ca.crt

Get the Health status of the CA:

step ca health --ca-url https://camanager.local --root $(step path)/certs/root_ca.crt

Create a new certificate using a token:

TOKEN=$(step ca token $(hostname) --ca-url  https://camanager.local)
e.g. TOKEN=$(step ca token employee.local --ca-url https://camanager.local)

step ca certificate $(hostname) server.crt server.key --token $TOKEN --ca-url https://camanager.local --root $(step path)/certs/root_ca.crt --not-after "$(date --date "next year" -Iseconds)"

employee.local must match with <DNS name> with $TOKEN

Remote client (If u want to access your service from browser)

Accessing your CA remotely

step ca root root_ca.crt \
--ca-url https://camanager.local \
--fingerprint <fingerprint>

Install certificate

step certificate install $(step path)/certs/root_ca.crt

Upload you CA certificate with to browser

Upload .crt to browser $(step path)/certs/root_ca.crt

Configure hosts file

echo "<ip address> <service hostname>" >> /etc/hosts

e.g. echo "192.168.1.10 employee.local" >> /etc/hosts

References

https://smallstep.com/docs/step-cli/reference/ca
https://smallstep.com/docs/step-ca
https://smallstep.com/docs/step-ca/certificate-authority-core-concepts
https://smallstep.com/docs/step-ca/getting-started
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment