-
-
Save brav0charlie/b70c488f0b64947e25eebac07c75bd3b to your computer and use it in GitHub Desktop.
Private CA with step-ca & Docker Compose
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: We're passing a cleartext password via an environment variable. If you're not | |
| # comfortable with this, there's a manual setup process available in the Docker | |
| # Hub page for smallstep/step-ca (https://hub.docker.com/r/smallstep/step-ca). | |
| # | |
| # If you're using your own DNS server(s) to resolve internal hostnames, enter | |
| # them in the DNS1 and DNS2 fields. If not, leave these null and delete the DNS | |
| # section (lines 26 - 28) in docker-compose.yml. | |
| # | |
| # CA Configuration | |
| # Name of Cert Authority (i.e., PrivateCorp CA). Visible on all issued certs. | |
| CA_NAME="PrivateCorp CA" | |
| # Comma-separated list of hostnames/IP addresses the CA will accept requests on | |
| CA_DNS_NAMES=step-ca.home.example.com | |
| # Name for the initial provisioner. Default is 'admin' if left null. | |
| STEP_PROVISIONER_NAME=admin | |
| # Specify a password for encrypted CA Keys & Default CA Provisioner | |
| # Generate with 'pwgen -N 1 -s 32' | |
| CA_ENCRYPTION_PASS=<CHANGE ME TO SOMETHING SECURE> | |
| # Set to any non-null value to enable SSH certificate support | |
| INIT_SSH= | |
| # Container Network Configuration | |
| # DNS search domains | |
| DOMAIN=home.example.com | |
| # Primary DNS server | |
| DNS1=1.1.1.1 | |
| # Secondary DNS server | |
| DNS2=1.0.0.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: We're passing a cleartext password via an environment variable. If you're not | |
| # comfortable with this, there's a manual setup process available in the Docker | |
| # Hub page for smallstep/step-ca (https://hub.docker.com/r/smallstep/step-ca). | |
| # | |
| # If you're using your own DNS server(s) to resolve internal hostnames, enter | |
| # them in the DNS1 and DNS2 fields in the associated .env file. If not, leave | |
| # them null in the .env file and delete the DNS section (lines 26 - 28) in | |
| # this file. | |
| # | |
| # By default, the step-ca container will listen on port 9000 on the host. Change | |
| # the number to the left of the colon on line 25 to change the external port. | |
| # | |
| # | |
| version: '3.8' | |
| services: | |
| step-ca: | |
| image: 'smallstep/step-ca:latest' | |
| container_name: 'step-ca' | |
| hostname: 'step-ca' | |
| networks: | |
| - 'step-ca' | |
| ports: | |
| - 9000:9000 | |
| dns: | |
| - '${DNS1}' | |
| - '${DNS2}' | |
| dns_search: | |
| - '${DOMAIN}' | |
| environment: | |
| # Name of Cert Authority (i.e., PrivateCorp CA). Visible on all issued certs. | |
| - "DOCKER_STEPCA_INIT_NAME=${CA_NAME}" | |
| # Comma-separated list of hostnames/IP addresses the CA will accept requests on | |
| - "DOCKER_STEPCA_INIT_DNS_NAMES=${CA_DNS_NAMES}" | |
| # Name for the initial provisioner. Default is 'admin' if left null. | |
| - "DOCKER_STEPCA_INIT_PROVISIONER_NAME=${STEP_PROVISIONER_NAME}" | |
| # Specify a password for encrypted CA Keys & Default CA Provisioner | |
| - "DOCKER_STEPCA_INIT_PASSWORD=${CA_ENCRYPTION_PASS}" | |
| # Set this to any non-null value to enable SSH cert support | |
| - "DOCKER_STEPCA_INIT_SSH=${INIT_SSH}" | |
| volumes: | |
| - 'step:/home/step' | |
| volumes: | |
| step: | |
| name: step | |
| driver: local | |
| networks: | |
| step-ca: | |
| name: 'step-ca' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment