We use cookies to ensure you get the best experience on our website
Inicio Explorar Axuda
Rexistro Iniciar sesión
0ct0pu5
/
tutorials
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: ca5897e814
Ramas Etiquetas
tutorials
/
0746.html

0746.html 9.0 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1.     <!DOCTYPE html>
    2. 

  2.     <html lang="en" xmlns="http://www.w3.org/1999/xhtml">
    3. 

  3.       <head>
    4. 

  4.         <title>Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux</title>
    5. 

  5.         <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    6. 

  6.         <meta charset="UTF-8">
    7. 

  7.         <meta name="keywords" content="Self-Hosted ACME Server,Self-Hosted Let's Encrypt,Let's Encrypt Alternative,Home Lab,Home Lab Ideas,Install Guide,Self-Hosted,Self-Signed SSL,Self-Signed PKI,Self-Signed HTTPS,Self-Signed Certificate,Public Key Infrastructure,Public Key User Interface,SSL Certificates,Self-Signed,PKI,Linux,IT Security,HTTPS,Debian,Encryption,Certificates,Certificate Authority,Let's Encrypt,ACME,How To,Tutorial,i12bretro">
    8. 

  8.         <meta name="author" content="i12bretro">
    9. 

  9.         <meta name="description" content="Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux">
    10. 

  10.         <meta name="viewport" content="width=device-width, initial-scale=1.0">
    11. 

  11.         <meta name="revised" content="05/06/2022 12:46:52 PM" />
    12. 

  12. 				          <link rel="icon" type="image/x-icon" href="includes/favicon.ico">
    13. 

  13. 				  <script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
    14. 

  14. 				        <script type="text/javascript" src="includes/js/steps.js"></script>
    15. 

  15.         <link href="css/steps.css" rel="stylesheet" type="text/css" />
    16. 

  16.       </head>
    17. 

  17.       <body>
    18. 

  18.         <div id="gridContainer">
    19. 

  19.           <div class="topMargin"></div>
    20. 

  20.           <div id="listName" class="topMargin">
    21. 

  21.             <h1>Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux</h1>
    22. 

  22.           </div>
    23. 

  23.           <div></div>
    24. 

  24.           <div id="content">
    25. 

  25.           <h2>What is Step-CA?</h2>
    26. 

  26. 

  27. <blockquote><em>[Step-CA is] a private certificate authority (X.509 &amp; SSH) &amp; ACME server for secure automated certificate management, so you can use TLS everywhere &amp; SSO for SSH. -<a href="https://github.com/smallstep/certificates" target="_blank">https://github.com/smallstep/certificates</a></em></blockquote>
    28. 

  28. 

  29. <h2>Installing Step-CA and Step-CLI</h2>
    30. 

  30. 

  31. <ol>
    32. 

  32. 	<li>Log into the Linux device</li>
    33. 

  33. 	<li>Run the following commands in a terminal
    34. 

  34. 	<div class="codeBlock"># update software repositories<br />
    35. 

  35. 	sudo apt update<br />
    36. 

  36. 	# install available software updates<br />
    37. 

  37. 	sudo apt upgrade -y<br />
    38. 

  38. 	# clean up downloaded apt files<br />
    39. 

  39. 	sudo apt clean<br />
    40. 

  40. 	# lookup latest steps-ca release URL<br />
    41. 

  41. 	regex=&#39;&quot;browser_download_url&quot;: &quot;(https:\/\/github.com\/smallstep\/certificates\/releases\/download\/[^/]*\/step-ca_[^/]*amd64\.deb)&quot;&#39; &amp;&amp; response=$(curl -H &quot;Accept: application/vnd.github.v3+json&quot; https://api.github.com/repos/smallstep/certificates/releases/latest) &amp;&amp; [[ $response =~ $regex ]] &amp;&amp; downloadURL=&quot;${BASH_REMATCH[1]}&quot;<br />
    42. 

  42. 	# download steps-ca server<br />
    43. 

  43. 	wget -O ./steps-ca.deb $downloadURL<br />
    44. 

  44. 	# install steps-ca server<br />
    45. 

  45. 	sudo dpkg -i ./steps-ca.deb<br />
    46. 

  46. 	# lookup latest steps-cli release URL<br />
    47. 

  47. 	regex=&#39;&quot;browser_download_url&quot;: &quot;(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)&quot;&#39; &amp;&amp; response=$(curl -H &quot;Accept: application/vnd.github.v3+json&quot; https://api.github.com/repos/smallstep/cli/releases/latest) &amp;&amp; [[ $response =~ $regex ]] &amp;&amp; downloadURL=&quot;${BASH_REMATCH[1]}&quot;<br />
    48. 

  48. 	# download steps-cli client<br />
    49. 

  49. 	wget -O ./steps-cli.deb $downloadURL<br />
    50. 

  50. 	# install steps-cli client<br />
    51. 

  51. 	sudo dpkg -i ./steps-cli.deb<br />
    52. 

  52. 	# create the /etc/step-ca directory<br />
    53. 

  53. 	sudo mkdir /etc/step-ca<br />
    54. 

  54. 	# elevate to root user<br />
    55. 

  55. 	sudo su<br />
    56. 

  56. 	# set the step-ca path<br />
    57. 

  57. 	export STEPPATH=/etc/step-ca<span style="display: none;"> </span></div>
    58. 

  58. 	</li>
    59. 

  59. </ol>
    60. 

  60. 

  61. <h2>Initialize A New Certificate Authority</h2>
    62. 

  62. 

  63. <ol>
    64. 

  64. 	<li>Continue with the following commands in a terminal
    65. 

  65. 	<div class="codeBlock"># initilize a CA<br />
    66. 

  66. 	step ca init</div>
    67. 

  67. 	</li>
    68. 

  68. 	<li>Select standalone &gt; press Enter</li>
    69. 

  69. 	<li>Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] &gt; Press Enter</li>
    70. 

  70. 	<li>Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] &gt; Press Enter</li>
    71. 

  71. 	<li>Enter the port for Step-CA to listen on [ie :8443] &gt; Press Enter</li>
    72. 

  72. 	<li>Enter a first provisioner e-mail address [ie i12bretro@i12bretro.local] &gt; Press Enter</li>
    73. 

  73. 	<li>Enter a password for the CA or leave it blank to have a password generated &gt; Press Enter</li>
    74. 

  74. </ol>
    75. 

  75. 

  76. <h2>Installing Step-CA Service/Daemon</h2>
    77. 

  77. 

  78. <ol>
    79. 

  79. 	<li>Continue with the following commands in a terminal
    80. 

  80. 	<div class="codeBlock"># add ACME provisioner<br />
    81. 

  81. 	step ca provisioner add acme --type ACME<br />
    82. 

  82. 	# exit root shell<br />
    83. 

  83. 	exit<br />
    84. 

  84. 	# create password.txt, replace with the CA password<br />
    85. 

  85. 	echo &#39;$YourCAPassword!!&#39; | sudo tee -a /etc/step-ca/password.txt &gt; /dev/null<br />
    86. 

  86. 	# create step-ca user<br />
    87. 

  87. 	sudo useradd --system --home /etc/step-ca --shell /bin/false step-ca<br />
    88. 

  88. 	# set ownership of /etc/step-ca<br />
    89. 

  89. 	sudo chown step-ca:step-ca /etc/step-ca -R<br />
    90. 

  90. 	# limit permissions on the password.txt file<br />
    91. 

  91. 	sudo chmod 400 /etc/step-ca/password.txt<br />
    92. 

  92. 	# create step-ca log directory<br />
    93. 

  93. 	sudo mkdir /var/log/step-ca -p<br />
    94. 

  94. 	# set ownership of step-ca logs<br />
    95. 

  95. 	sudo chown step-ca:step-ca /var/log/step-ca -R<br />
    96. 

  96. 	# edit the ca configuration<br />
    97. 

  97. 	sudo nano /etc/step-ca/config/ca.json<span style="display: none;"> </span></div>
    98. 

  98. 	</li>
    99. 

  99. 	<li>By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed<span style="display: none;"> </span>
    100. 

  100. 	<p>&quot;claims&quot;: {<br />
    101. 

  101. 	 &quot;maxTLSCertDuration&quot;:&quot;26280h&quot;,<br />
    102. 

  102. 	 &quot;defaultTLSCertDuration&quot;:&quot;8760h&quot;<br />
    103. 

  103. 	},</p>
    104. 

  104. 	</li>
    105. 

  105. 	<li>Press CTRL+O, Enter, CTRL+X to write the changes and close nano</li>
    106. 

  106. 	<li>Continue with the following commands in a terminal
    107. 

  107. 	<div class="codeBlock"># create service file<br />
    108. 

  108. 	sudo nano /etc/systemd/system/step-ca.service</div>
    109. 

  109. 	</li>
    110. 

  110. 	<li>Paste the following configuration into step-ca.service
    111. 

  111. 	<p>[Unit]<br />
    112. 

  112. 	Description=step-ca service<br />
    113. 

  113. 	After=network.target<br />
    114. 

  114. 	StartLimitIntervalSec=0</p>
    115. 

  115. 

  116. 	<p>[Service]<br />
    117. 

  117. 	Type=simple<br />
    118. 

  118. 	Restart=always<br />
    119. 

  119. 	RestartSec=1<br />
    120. 

  120. 	User=step-ca<br />
    121. 

  121. 	Group=step-ca<br />
    122. 

  122. 	Environment=STEPPATH=/etc/step-ca<br />
    123. 

  123. 	ExecStart=/bin/sh -c &quot;/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt &gt;&gt; /var/log/step-ca/step-ca.log 2&gt;&amp;1&quot;</p>
    124. 

  124. 

  125. 	<p>[Install]<br />
    126. 

  126. 	WantedBy=multi-user.target</p>
    127. 

  127. 	</li>
    128. 

  128. 	<li>Press CTRL+O, Enter, CTRL+X to write the changes and close nano</li>
    129. 

  129. 	<li>Continue with the following commands to enable and start the service:
    130. 

  130. 	<div class="codeBlock"># reload systemd services<br />
    131. 

  131. 	sudo systemctl daemon-reload<br />
    132. 

  132. 	# start step-ca service on boot and now<br />
    133. 

  133. 	sudo systemctl enable step-ca --now</div>
    134. 

  134. 	</li>
    135. 

  135. </ol>
    136. 

  136. 

  137. <h2>Automating Certificate Requests</h2>
    138. 

  138. 

  139. <ol>
    140. 

  140. 	<li>Log into the server needing to request a certificate</li>
    141. 

  141. 	<li>Continue following commands in a terminal window
    142. 

  142. 	<div class="codeBlock"># copy the step-ca root certificate to trusted certs<br />
    143. 

  143. 	sudo cp /etc/step-ca/certs/root_ca.crt /usr/local/share/ca-certificates/<br />
    144. 

  144. 	# copy the step-ca intermediate certificate to trusted certs<br />
    145. 

  145. 	sudo cp /etc/step-ca/certs/intermediate_ca.crt /usr/local/share/ca-certificates/<br />
    146. 

  146. 	# update ca certs<br />
    147. 

  147. 	sudo update-ca-certificates<br />
    148. 

  148. 	# remove apt version of certbot if installed<br />
    149. 

  149. 	sudo apt remove certbot -y<br />
    150. 

  150. 	# install snapd<br />
    151. 

  151. 	sudo apt install snapd -y<br />
    152. 

  152. 	# install snap core and update<br />
    153. 

  153. 	sudo snap install core; sudo snap refresh core<br />
    154. 

  154. 	# install certbot snap<br />
    155. 

  155. 	sudo snap install --classic certbot<br />
    156. 

  156. 	# create certbot symbolic link<br />
    157. 

  157. 	sudo ln -s /snap/bin/certbot /usr/bin/certbot<br />
    158. 

  158. 	# request the certificate<br />
    159. 

  159. 	sudo REQUESTS_CA_BUNDLE=/etc/step-ca/certs/root_ca.crt certbot certonly --standalone -d &lt;%host%&gt; --server https://&lt;%step-ca-host%&gt;:&lt;%step-ca-port%&gt;/acme/acme/directory</div>
    160. 

  160. 	</li>
    161. 

  161. 	<li>When prompted, enter an email address and agree to the terms of service</li>
    162. 

  162. 	<li>Choose whether to share your email and receive emails from certbot</li>
    163. 

  163. 	<li>Certbot will output information regarding the location of the certificate files</li>
    164. 

  164. </ol>
    165. 

  165. 

  166. <p>Sources: <a href="https://smallstep.com/docs/step-ca/installation" target="_blank">https://smallstep.com/docs/step-ca/installation</a><br />
    167. 

  167. <a href="https://certbot.eff.org/instructions?ws=other&amp;os=debianbuster" target="_blank">https://certbot.eff.org/instructions?ws=other&amp;os=debianbuster</a><br />
    168. 

  168. <a href="https://smallstep.com/docs/tutorials/acme-challenge/" target="_blank">https://smallstep.com/docs/tutorials/acme-challenge/</a></p>          </div>
    169. 

  169.         </div>
    170. 

  170.       </body>
    171. 

  171.     </html>
    172. 

  172.   
    173.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5