# /etc/step/openssl.conf
[ ca ]
default_ca = step
[ step ]
dir = /var/lib/step
certificate = $dir/certs/root_ca.crt
private_key = $dir/secrets/root_ca_key
crlnumber = $dir/crlnumber
database = $dir/index.txt
default_crl_days = 44
default_md = sha512
unique_subject = no
save your provider password to /etc/step/passwd
{
"db": {
"type": "bbolt",
"dataSource": "/var/lib/step/db/bolt.db"
}
}
dnf -y install golang jq
go go get github.com/muesli/thunder
{
"db": {
"type": "mysql",
"dataSource": "step:step@tcp(127.0.0.1:3306)/",
"database": "step"
}
}
dnf -y install mariadb jq
since the database is locked when step-ca is running, you must shut it down first
export PATH=${PATH}:${HOME}/go/bin
step="/var/lib/step"
db="${step}/db/bolt.db"
revokedcerts=$(echo "ls revoked_x509_certs/" | thunder "${db}" | sed '1,3d;$d')
for cert in ${revokedcerts}; do
echo "get revoked_x509_certs/${cert}" | thunder "${db}" | sed '1,3d' | \
eval $(
jq -Mr '{enddate: .RevokedAt, serial: .Serial}|to_entries|map("export \(.key)=\(.value)")|.[]'
)
serial=${serial^^}
printf "R\t%s\t%s\t%s\tunknown\tdummy\n" \
$(TZ=Z date -d "${enddate}" +%Y%m%d%H%M%SZ) \
$(TZ=Z date -d "${enddate}" +%g%m%d%H%M%SZ) \
${serial//:}
done > ${step}/index.txt
step="/var/lib/step"
mysql -Ne 'select nvalue from revoked_x509_certs' step | while read cert; do
eval $(
jq -Mr '{enddate: .RevokedAt, serial: .Serial}|to_entries|map("export \(.key)=\(.value)")|.[]' \
<<<"${cert}"
)
serial=${serial^^}
printf "R\t%s\t%s\t%s\tunknown\tdummy\n" \
$(TZ=Z date -d "${enddate}" +%Y%m%d%H%M%SZ) \
$(TZ=Z date -d "${enddate}" +%g%m%d%H%M%SZ) \
${serial//:}
done > ${step}/index.txt
openssl ca -config /etc/step/openssl.conf -gencrl -passin file:/etc/step/passwd -out /path/to/crl.pem
Add a certificate for ocsp and use it to sign the responses. See man 1 ocsp
for details.
openssl ocsp -rmd sha256 -port 8080 -nmin 360 \
-index /var/lib/step/index.txt \
-CA /var/lib/step/certs/root_ca.crt \
-rsigner /path/to/ocsp.pem \
-rkey /path/to/ocsp.key
| xxd -r -p
😁