Skip to content

Instantly share code, notes, and snippets.

View tashian's full-sized avatar

Carl Tashian tashian

View GitHub Profile
# This script will launch and configure a step-ca SSH Certificate Authority
# on AWS in an Ubuntu / Debian-based VM with OIDC and AWS provisioners
# See for full instructions
OIDC_CLIENT_ID="[OAuth client ID]" # from Google
OIDC_CLIENT_SECRET="[OAuth client secret]" # from Google
ALLOWED_DOMAIN="[the domain name of accounts your users will use to sign to Google]"
tashian /
Last active July 15, 2024 18:59
Install & launch step-ca in AWS on a variety of Linux distros
if [ -f /etc/os-release ]; then
# and systemd
. /etc/os-release
# This script will get an SSH host certificate from our CA and add a weekly
# cron job to rotate the host certificate. It should be run as root.
# See for full instructions
CA_URL="[Your CA URL]"
# Obtain your CA fingerprint by running this on your CA:

How to create and import a root CA key and certificate onto multiple YubiKeys (for backup / cold storage purposes), and use the root CA to sign a new intermediate CA on a different YubiKey that will be used with step-ca for online leaf certificate signing.

You will need:

  • ykman
  • step
  • step-kms-plugin
  • At least three YubiKeys with PIV support. One will be used for an online intermediate CA, and the rest will be for offline root CA backups.

First, on an airgapped machine, generate a key pair on disk:

tashian /
Last active October 10, 2023 20:03
Using a TPM EKcert as input, recursively fetch the TPM CA certificate chain
# Using a TPM EKcert filename as input, this script recursively fetches TPM CA certificates.
# It depends on the EKcert having an AIA (Authority Information Access) Issuer URI field.
# This field is not required and may not be present.
# If available, the CA certificates will be saved into the current directory.
# To use this script, you will need the following programs:
# jq —
# step —
# curl
tashian / step-ca.json
Created January 26, 2021 22:00
Keycloak Client Settings for step-ca
"clientId": "step-ca",
"rootUrl": "",
"adminUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
tashian / Dockerfile.mongo.ca_bootstrap
Last active October 5, 2021 20:26
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust
FROM mongo
RUN apt update; \
apt install -y --no-install-recommends \
curl \
jq \
openssl \
; \
tashian / Dockerfile.mongo.step_ca_bootstrap
Created October 5, 2021 20:24
A MongoDB Dockerfile that bootstraps with a step-ca Certificate Authority for root CA trust, using the step command
FROM smallstep/step-cli as step
FROM mongo
COPY --from=step /usr/local/bin/step /usr/local/bin/
RUN step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT --install
tashian / loki.yml
Last active May 4, 2021 23:42
Loki configuration for my homelab
# Loki config based on
# The only thing I've changed is the server: block.
auth_enabled: false
http_listen_port: 3100
tashian / prometheus.yml
Last active May 4, 2021 22:38
Prometheus configuration file with TLS support
# my global config
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
# metrics_path defaults to '/metrics'