Skip to content

Step-CA

Setup

You can interact with the running Step-CA instance using the Step CLI.

Install using apt-get 
apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates
curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
    echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
    | tee /etc/apt/sources.list.d/smallstep.list
apt-get update && apt-get -y install step-cli step-ca

Fingerprint

The CA fingerprint is necessary to bootstrap clients using the step CLi.

Get the CA fingerprint
step certificate fingerprint $(step path)/certs/root_ca.crt

Bootstrap

Then the client has to be bootstrapped into pointing at the running Step-CA instance.

Bootstrap the step-ca CLI
step ca bootstrap --ca-url https://janus.john-stream.com --install \
    --fingerprint 2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6

--install flag puts the root CA into the system trust store.

SSH Certs Usage

Advantages of SSH certs
  • Centralized access management - certificates can be revoked.
  • Additional security through the restrictions around how the certificates can be used. Both directions can be restricted in various ways:
    • Hostnames/IP address
    • Usernames
    • Validity period
  • User certificates can grant access to multiple usernames.
  • User certificates allow multiple users to be trusted through a single user CA.
  • Host certificates avoid clients having to verify host keys (or blindly trusting them on the first connection, as is common).
  • Host certificates allow multiple hosts to be trusted through a single host CA.

Client

This depends on having already created an id_ed25519 key set.

Sign the user SSH certificate
step ssh certificate --sign \
    --provisioner admin \
    --principal john \
    --principal root \
    john ~/.ssh/id_ed25519.pub
Make the client trust servers with certs from the host CA
(umask 022; cat <<EOF > ~/.ssh/known_hosts
@cert-authority *.john-stream.com $(step ssh config --host --roots)
EOF
)

Host

Get the CA for user SSH certificates
step ssh config --roots > /etc/ssh/ssh_user_ca.pub
Sign the host SSH certificate
HOSTNAME=$(hostname -s) && \
step ssh certificate --sign --host \
    --provisioner admin \
    --principal "$HOSTNAME" \
    --principal "$HOSTNAME.john-stream.com" \
    "$HOSTNAME" /etc/ssh/ssh_host_ed25519_key.pub

Needs the --host flag to indicate that this is an SSH host cert

Host cert configuration

TLS Certs Usage

Generate new set of certs
HOSTNAME=$(hostname -s)
step ca certificate $HOSTNAME cert.pem key.pem \
    --provisioner admin \
    --san $HOSTNAME.john-stream.com \
    --not-after=24h