A simple guidance for installing CA with step-ca

step-ca-readme.md

Prerequisites:

• DNS server (You can use Powerdns and PowerDns Admin)

CA Server

1. Install step and step-ca commands. Follow official document or simply :

curl -L https://dl.smallstep.com/gh-release/cli/docs-ca-install/v0.23.2/step_linux_0.23.2_amd64.tar.gz \
   -o step.tar.gz
tar -xf step.tar.gz
sudo cp step_0.23.2/bin/step /usr/bin

curl -L https://dl.smallstep.com/gh-release/cli/docs-ca-install/v0.23.2/step_linux_0.23.2_amd64.tar.gz \
   -o step.tar.gz
tar -xf step.tar.gz
sudo cp step_0.23.2/bin/step /usr/bin

2. Better to do all the task with root user.
3. Initilize : step ca init 3.1. You can add password 3.2. Add proper DNS rescord (here I used ca.hadiazad.local)
4. Add the password to this path: /root/.step/.ca-pw
5. Make sure /root/.step/config/ca.json exists
6. To support ACME protocol, use this command step ca provisioner add acme --type ACME
7. Edit the /root/config/ca.json file and in the ACME section add some lifetimes:

	{
		"type": "ACME",
		"name": "domain",
		"forceCN": true,
		"claims": {
			...
		       "maxTLSCertDuration": "2160h",
		       "defaultTLSCertDuration": "2160h"
		       ...
		}
	}

9. Add this service to /etc/systemd/system/step-ca-server.service:

[Unit]
Description=step-ca-server
After=network-online.target
Wants=network-online.target

[Service]
TimeoutStartSec=0
ExecStart=/usr/bin/step-ca --password-file=/root/.step/.ca-pw /root/.step/config/ca.json

ExecReload=kill -s sighup $(ps aux | grep 'step-ca' | grep json | tr -s ' ' | cut -f 2 -d ' ')

ExecStop=kill -9 $(ps aux | grep 'step-ca' | grep json | tr -s ' ' | cut -f 2 -d ' ')

Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

9. sudo systemctl daemon-reload
10. sudo systemctl enable --now step-ca-server && sudo systemctl restart step-ca-server

Now CA server should run on port 443.

On client side:

1. Check You can acces CA server by curl -k https://ca.hadiazad.local/acme/acme/directory 1.1. You could not access without -k option.
2. Download /root/.step/certs/root_ca.crt on Client.
3. Copy crt to ca-certificates: sudo cp root_ca.crt /usr/local/share/ca-certificates/
4. sudo update-ca-certificates
5. curl https://ca.hadiazad.local/acme/acme/directory without -k

Note: On every client you should do the same thing!

Using Certbot to create new certificate

Use this command to create certificate for test.hadiazad.local domain:

sudo certbot certonly -d test.hadiazad.local --server https://ca.hadiazad.local/acme/acme/directory

Config Nginx

Download these files, Move to /etc/letsencrypt

https://raw.githubusercontent.com/certbot/certbot/ddd4b31b1c0bc397f04a9c96176157ab5ae639ee/certbot/certbot/ssl-dhparams.pem
https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf

Nginx config example:

upstream nexus-apt {
	server 127.0.0.1:8081;
}

server {
	server_name nexus.hadiazad.local;
	
    	listen [::]:443 ssl ipv6only=on;	
   	listen 443 ssl;
   	ssl_certificate /etc/letsencrypt/live/nexus.hadiazad.local/fullchain.pem; # managed by Certbot
   	ssl_certificate_key /etc/letsencrypt/live/nexus.hadiazad.local/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf;
  	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  	client_max_body_size      1G;

	location / {
		proxy_pass          http://nexus-apt;
	    	proxy_set_header 	X-Forwarded-For $proxy_add_x_forwarded_for;
	    	proxy_set_header 	X-Real-IP $remote_addr;
	}
}

server {
    	if ($host = nexus.hadiazad.local) {
        	return 301 https://$host$request_uri;
    	}

	listen 80 default_server;
	listen [::]:80 default_server;

	server_name nexus.hadiazad.local;
    	return 404;
}

References:

• https://smallstep.com/docs/step-ca/getting-started/
• https://kenmoini.com/post/2022/04/diy-ca-with-small-step/
• https://warlord0blog.wordpress.com/2021/01/15/step-ca-and-acme/