0ct0pu5
/
tutorials


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176
							    <!DOCTYPE html>
    <html lang="en" xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <title>Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux</title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
        <meta charset="UTF-8">
        <meta name="keywords" content="Self-Hosted ACME Server,Self-Hosted Let's Encrypt,Let's Encrypt Alternative,Home Lab,Home Lab Ideas,Install Guide,Self-Hosted,Self-Signed SSL,Self-Signed PKI,Self-Signed HTTPS,Self-Signed Certificate,Public Key Infrastructure,Public Key User Interface,SSL Certificates,Self-Signed,PKI,Linux,IT Security,HTTPS,Debian,Encryption,Certificates,Certificate Authority,Let's Encrypt,ACME,How To,Tutorial,i12bretro">
        <meta name="author" content="i12bretro">
        <meta name="description" content="Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta name="revised" content="08/11/2023 04:10:24 PM" />
				          <link rel="icon" type="image/x-icon" href="includes/favicon.ico">
				  <script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
				        <script type="text/javascript" src="includes/js/steps.js"></script>
        <link href="css/steps.css" rel="stylesheet" type="text/css" />
      </head>
      <body>
        <div id="gridContainer">
          <div class="topMargin"></div>
          <div id="listName" class="topMargin">
            <h1>Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux</h1>
          </div>
          <div></div>
          <div id="content">
          <h2>What is Step-CA?</h2>

<blockquote><em>[Step-CA is] a private certificate authority (X.509 &amp; SSH) &amp; ACME server for secure automated certificate management, so you can use TLS everywhere &amp; SSO for SSH. -<a href="https://github.com/smallstep/certificates" target="_blank">https://github.com/smallstep/certificates</a></em></blockquote>

<h2>Installing Step-CA and Step-CLI</h2>

<ol>
	<li>Log into the Linux device</li>
	<li>Run the following commands in a terminal
	<div class="codeBlock"># update software repositories<br />
	sudo apt update<br />
	# install available software updates<br />
	sudo apt upgrade -y<br />
	# install prerequisites<br />
	sudo apt install curl wget -y<br />
	# clean up downloaded apt files<br />
	sudo apt clean<br />
	# lookup latest steps-ca release URL<br />
	regex=&#39;&quot;browser_download_url&quot;: &quot;(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)&quot;&#39; &amp;&amp; response=$(curl -H &quot;Accept: application/vnd.github.v3+json&quot; https://api.github.com/repos/smallstep/cli/releases/latest) &amp;&amp; [[ $response =~ $regex ]] &amp;&amp; downloadURL=&quot;${BASH_REMATCH[1]}&quot;<br />
	# download steps-ca server<br />
	wget -O ./steps-ca.deb $downloadURL<br />
	# install steps-ca server<br />
	sudo dpkg -i ./steps-ca.deb<br />
	# lookup latest steps-cli release URL<br />
	regex=&#39;&quot;browser_download_url&quot;: &quot;(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)&quot;&#39; &amp;&amp; response=$(curl -H &quot;Accept: application/vnd.github.v3+json&quot; https://api.github.com/repos/smallstep/cli/releases/latest) &amp;&amp;
	
	&amp;&amp; downloadURL=&quot;${BASH_REMATCH[1]}&quot;<br />
	# download steps-cli client<br />
	wget -O ./steps-cli.deb $downloadURL<br />
	# install steps-cli client<br />
	sudo dpkg -i ./steps-cli.deb<br />
	# create the /etc/step-ca directory<br />
	sudo mkdir /etc/step-ca<br />
	# elevate to root user<br />
	sudo su<br />
	# set the step-ca path<br />
	export STEPPATH=/etc/step-ca<span style="display: none;"> </span></div>
	</li>
</ol>

<h2>Initialize A New Certificate Authority</h2>

<ol>
	<li>Continue with the following commands in a terminal
	<div class="codeBlock"># initilize a CA<br />
	step ca init</div>
	</li>
	<li>Select standalone &gt; press Enter</li>
	<li>Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] &gt; Press Enter</li>
	<li>Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] &gt; Press Enter</li>
	<li>Enter the port for Step-CA to listen on [ie :8443] &gt; Press Enter</li>
	<li>Enter a first provisioner e-mail address [ie i12bretro@i12bretro.local] &gt; Press Enter</li>
	<li>Enter a password for the CA or leave it blank to have a password generated &gt; Press Enter</li>
</ol>

<h2>Installing Step-CA Service/Daemon</h2>

<ol>
	<li>Continue with the following commands in a terminal
	<div class="codeBlock"># add ACME provisioner<br />
	step ca provisioner add acme --type ACME<br />
	# exit root shell<br />
	exit<br />
	# create password.txt, replace with the CA password<br />
	echo &#39;$YourCAPassword!!&#39; | sudo tee -a /etc/step-ca/password.txt &gt; /dev/null<br />
	# create step-ca user<br />
	sudo useradd --system --home /etc/step-ca --shell /bin/false step-ca<br />
	# set ownership of /etc/step-ca<br />
	sudo chown step-ca:step-ca /etc/step-ca -R<br />
	# limit permissions on the password.txt file<br />
	sudo chmod 400 /etc/step-ca/password.txt<br />
	# create step-ca log directory<br />
	sudo mkdir /var/log/step-ca -p<br />
	# set ownership of step-ca logs<br />
	sudo chown step-ca:step-ca /var/log/step-ca -R<br />
	# edit the ca configuration<br />
	sudo nano /etc/step-ca/config/ca.json<span style="display: none;"> </span></div>
	</li>
	<li>By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed<span style="display: none;"> </span>
	<p>&quot;claims&quot;: {<br />
	&quot;maxTLSCertDuration&quot;:&quot;26280h&quot;,<br />
	&quot;defaultTLSCertDuration&quot;:&quot;8760h&quot;<br />
	},</p>
	</li>
	<li>Press CTRL+O, Enter, CTRL+X to write the changes and close nano</li>
	<li>Continue with the following commands in a terminal
	<div class="codeBlock"># create service file<br />
	sudo nano /etc/systemd/system/step-ca.service</div>
	</li>
	<li>Paste the following configuration into step-ca.service
	<p>[Unit]<br />
	Description=step-ca service<br />
	After=network.target<br />
	StartLimitIntervalSec=0</p>

	<p>[Service]<br />
	Type=simple<br />
	Restart=always<br />
	RestartSec=1<br />
	User=step-ca<br />
	Group=step-ca<br />
	Environment=STEPPATH=/etc/step-ca<br />
	ExecStart=/bin/sh -c &quot;/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt &gt;&gt; /var/log/step-ca/step-ca.log 2&gt;&amp;1&quot;</p>

	<p>[Install]<br />
	WantedBy=multi-user.target</p>
	</li>
	<li>Press CTRL+O, Enter, CTRL+X to write the changes and close nano</li>
	<li>Continue with the following commands to enable and start the service:
	<div class="codeBlock"># reload systemd services<br />
	sudo systemctl daemon-reload<br />
	# start step-ca service on boot and now<br />
	sudo systemctl enable step-ca --now</div>
	</li>
</ol>

<h2>Automating Certificate Requests</h2>

<ol>
	<li>Log into the server needing to request a certificate</li>
	<li>Continue following commands in a terminal window
	<div class="codeBlock"># copy the step-ca root certificate to trusted certs<br />
	sudo cp /etc/step-ca/certs/root_ca.crt /usr/local/share/ca-certificates/<br />
	# copy the step-ca intermediate certificate to trusted certs<br />
	sudo cp /etc/step-ca/certs/intermediate_ca.crt /usr/local/share/ca-certificates/<br />
	# update ca certs<br />
	sudo update-ca-certificates<br />
	# remove apt version of certbot if installed<br />
	sudo apt remove certbot -y<br />
	# install snapd<br />
	sudo apt install snapd -y<br />
	# install snap core and update<br />
	sudo snap install core; sudo snap refresh core<br />
	# install certbot snap<br />
	sudo snap install --classic certbot<br />
	# create certbot symbolic link<br />
	sudo ln -s /snap/bin/certbot /usr/bin/certbot<br />
	# request the certificate<br />
	sudo REQUESTS_CA_BUNDLE=/etc/step-ca/certs/root_ca.crt certbot certonly --standalone -d &lt;%host%&gt; --server https://&lt;%step-ca-host%&gt;:&lt;%step-ca-port%&gt;/acme/acme/directory</div>
	</li>
	<li>When prompted, enter an email address and agree to the terms of service</li>
	<li>Choose whether to share your email and receive emails from certbot</li>
	<li>Certbot will output information regarding the location of the certificate files</li>
</ol>

<p>Sources: <a href="https://smallstep.com/docs/step-ca/installation" target="_blank">https://smallstep.com/docs/step-ca/installation</a><br />
<a href="https://certbot.eff.org/instructions?ws=other&amp;os=debianbuster" target="_blank">https://certbot.eff.org/instructions?ws=other&amp;os=debianbuster</a><br />
<a href="https://smallstep.com/docs/tutorials/acme-challenge/" target="_blank">https://smallstep.com/docs/tutorials/acme-challenge/</a></p>          </div>
        </div>
      </body>
    </html>