Step local CA

Step certificates

The Open Source step certificates project provides the infrastructure, automations, and workflows to securely create and operate a private certificate authority. Step certificates makes it easy for developers, operators and security teams to manage certificates for production workloads.

References:

Step and SSH
Step and ACME
Everything about PKI

Install

• By package

  #  wget https://github.com/smallstep/cli/releases/download/v0.13.3/step-cli_0.13.3_amd64.deb
  #  dpkg -i step-cli_0.13.3_amd64.deb

• Or manual (my preference)

  # wget https://github.com/smallstep/cli/releases/download/v0.13.3/step_0.13.3_linux_amd64.tar.gz
  
  # tar xvzf step_0.13.3_linux_amd64.tar.gz
  step_0.13.3/
  step_0.13.3/README.md
  step_0.13.3/bin/
  step_0.13.3/bin/step
  
  # cp step_0.13.3/bin/step /usr/local/bin

Configure

Should have the Step CLI and CA programs installed, check their versions

step version
step-ca version

If running in container use setcap to allow step-ca access to port 443

setcap cap_net_bind_service=+ep /usr/bin/step-ca

Initialise the CA - we do this as a non-root user

alan@ca:~$ step ca init
 What would you like to name your new PKI? (e.g. Smallstep): Local Bits
 What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): ca.local.bits
 What address will your new CA listen at? (e.g. :443): ca.local.bits:443
 What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): alan@bespoke-it.solutions
 What do you want your password to be? [leave empty and we'll generate one]:

Generating root certificate...
all done!

Generating intermediate certificate...
all done!

 Root certificate: /home/alan/.step/certs/root_ca.crt
 Root private key: /home/alan/.step/secrets/root_ca_key
 Root fingerprint: a94e076a641866d78f904e86d52c8227c86454xxxxx
 Intermediate certificate: /home/alan/.step/certs/intermediate_ca.crt
 Intermediate private key: /home/alan/.step/secrets/intermediate_ca_key
 Default configuration: /home/alan/.step/config/defaults.json
 Certificate Authority configuration: /home/alan/.step/config/ca.json
 Database: /home/alan/.step/db

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

FEEDBACK
      The step utility is not instrumented for usage statistics. It does not
      phone home. But your feedback is extremely valuable. Any information you
      can provide regarding how you\u2019re using `step` helps. Please send us a
      sentence or two, good or bad: feedback@smallstep.com or join
      https://gitter.im/smallstep/community.

The Step root cert will need to be installed on every client …

# Install Step (CLI only) as above (as root)

$ export STEPPATH=$(step path)
$ step certificate fingerprint $(step path)/certs/root_ca.crt
a94e076a641866d78f904e86d52c8227c8645415ca873
$ FP=a94e076a641866d78f904e86d52c8227c8645415ca873
$ step ca bootstrap --fingerprint $FP --ca-url "https://ca.local.bits"
The root certificate has been saved in /home/alan/.step/certs/root_ca.crt.
Your configuration has been saved in /home/alan/.step/config/defaults.json.

Add root cert to system trust store on Linux, see note for Linux desktop browsers

$ sudo step certificate install $(step path)/certs/root_ca.crt
Certificate /home/xxx/.step/certs/root_ca.crt has been installed.
X.509v3 Root CA Certificate (ECDSA P-256) [Serial: 2030...9838]
  Subject:     Local Bits Root CA
  Issuer:      Local Bits Root CA
  Valid from:  2019-12-24T13:58:24Z
          to:  2029-12-21T13:58:24Z

Caddy

Configure Caddyfile to access local CA

  tls {
    ca https://ca.local.bits/acme/acme/directory
  }

Configure the local CA to provision ACME certificates.
ACME is a type of provisoner which is created by running this on the CA server:

step ca provisioner add acme --type ACME

Note:
Caddy (v1) does not read environment variables so articles suggesting setting LEGO_CA_CERTIFICATES before starting Caddy are bogus.
If you try that you will see something like this:

$  LEGO_CA_CERTIFICATES=$(step path)/certs/root_ca.crt
$ /opt/caddy/bin/caddy -conf /opt/caddy/conf/site.conf -log /opt/caddy/log/caddy.log -agree
Activating privacy features...2019/12/26 08:58:35 get directory at 'https://ca.local.bits/acme/acme/directory': failed to get json "https://ca.local.bits/acme/acme/directory": Get https://ca.local.bits/acme/acme/directory: x509: certificate signed by unknown authority

Certs for other services

Assuming Step CLI is installed (see above) and bootstrapped,
Then provision a certificate, e.g.

step ca certificate onlyoffice.local.bits onlyoffice.crt onlyoffice.key --provisioner acme
 Provisioner: acme (ACME)
Using Standalone Mode HTTP challenge to validate onlyoffice.local.bits .. done!
Waiting for Order to be 'ready' for finalization .. done!
Finalizing Order .. done!
 Certificate: site-nextcloud.crt
 Private Key: site-nextcloud.key

Certificates can be renewed in a similar way.
Assuming terminal is in same directory as original certs, or specifiy full paths to .crt and .key

step ca renew onlyoffice.crt onlyoffice.key

Cert renewal can also be wrapped up in a systemd service:

[Unit]
Description=Automated certificate management
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/usr/local/bin/step ca renew --daemon /root/.step/certs/onlyoffice.crt /root/.step/certs/onlyoffice.key

[Install]
WantedBy=multi-user.target

Browsers - Firefox + Vivaldi

Browsers do not typically (on Linux) use the system trust store and will return SEC_ERROR_UNKNOWN_ISSUER

NOTE (thanks to https://thomas-leister.de/en/how-to-import-ca-root-certificate/) for the solution
Browsers do not use the system trust store, using their own instead
By default they use cert9.db (cert8.db for older versions) under users home directory
Can use certutil to update cert9

$ sudo apt install libnss3-tools
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed
  libnss3-tools
0 to upgrade, 1 to newly install, 0 to remove and 88 not to upgrade.
Need to get 872 kB of archives.
After this operation, 4,249 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 libnss3-tools amd64 2:3.35-2ubuntu2.6 [872 kB]
Fetched 872 kB in 1s (969 kB/s)        
Selecting previously unselected package libnss3-tools.
(Reading database ... 212306 files and directories currently installed.)
Preparing to unpack .../libnss3-tools_2%3a3.35-2ubuntu2.6_amd64.deb ...
Unpacking libnss3-tools (2:3.35-2ubuntu2.6) ...
Setting up libnss3-tools (2:3.35-2ubuntu2.6) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

Locate the cert9 databases:

$ find ~/ -name cert9.db -ls
  4982275    512 -rw-------   1 alan     alan       524288 Dec 26 17:20 /home/alan/.mozilla/firefox/8xdvisko.default/cert9.db
  5111969     28 -rw-------   1 alan     alan        28672 May 14  2018 /home/alan/.pki/nssdb/cert9.db

The Mozilla trust store was updated using Mozilla GUI
(Privacy -> View certificates -> authorities -> Import)
But it could just as easily have been updated using the same procedure as below for Vivaldi

$ certutil -A -n "Local Bits CA" -t "TCu,Cu,Tu" -i ./root_ca.crt -d sql:/home/alan/.pki/nssdb
Notice: Trust flag u is set automatically if the private key is present.

Following the update -no more warnings !

Windows

Distribute the root CA cert by group policy
e.g. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy
Or, update the local trust store manually
e.g. https://windowsreport.com/install-windows-10-root-certificates/