Skip to content

Instantly share code, notes, and snippets.

Forked from tashian/
Last active February 20, 2022 21:23
What would you like to do?
# This script will launch and configure a step-ca SSH Certificate Authority
# with OIDC and AWS provisioners
# See for full instructions
OIDC_CLIENT_ID="[OAuth client ID]" # from Google
OIDC_CLIENT_SECRET="[OAuth client secret]" # from Google
ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"
CA_NAME="[A name for your CA]"
ROOT_KEY_PASSWORD="[A password for your CA's root key]"
# Setup the JWK
mkdir ~/step-ca
touch ~/step-ca/key
echo $ROOT_KEY_PASSWORD > ~/step-ca/key
step crypto jwk create ~/step-ca/ ~/step-ca/jwk.json –password-file=~/step-ca/key
curl -sLO${STEPCLI_VERSION}/step-certificates_${STEPCLI_VERSION}_amd64.deb
dpkg -i step-certificates_${STEPCLI_VERSION}_amd64.deb
curl -sLO${STEPCLI_VERSION}/step-cli_${STEPCLI_VERSION}_amd64.deb
dpkg -i step-cli_${STEPCLI_VERSION}_amd64.deb
# All your CA config and certificates will go into $STEPPATH.
export STEPPATH=/etc/step-ca
mkdir -p $STEPPATH
chmod 700 $STEPPATH
echo $ROOT_KEY_PASSWORD > $STEPPATH/password.txt
# Add a service to systemd for our CA.
cat<<EOF > /etc/systemd/system/step-ca.service
Description=step-ca service
ExecStart=/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt
# Set up our basic CA configuration and generate root keys
step ca init --ssh --name="$CA_NAME" \
--address=":443" --provisioner="$EMAIL" \
# Add the Google OAuth provisioner, for user certificates
step ca provisioner add Google --type=oidc --ssh \
--client-id="$OIDC_CLIENT_ID" \
--client-secret="$OIDC_CLIENT_SECRET" \
--configuration-endpoint="$OPENID_CONFIG_ENDPOINT" \
# Add a JWK provisioner, for host bootstrapping
step ca provisioner add ~/step-ca/jwk.json \
--ca-config /etc/step-ca/config/ca.json --ssh –password-file=~/step-ca/key
# The sshpop provisioner lets hosts renew their ssh certificates
step ca provisioner add SSHPOP --type=sshpop --ssh
# Use Google (OIDC) as the default provisioner in the end user's
# ssh configuration template.
sed -i 's/\%p$/%p --provisioner="Google"/g' /etc/step-ca/templates/ssh/config.tpl
service step-ca start
echo "export STEPPATH=$STEPPATH" >> /root/.profile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment