Certificate Manager
      Back to home
      1. Smallstep Knowledge Base
      2. Documentation
      3. Certificate Manager

      Getting Started with Certificate Manager

      Here's a step-by-step guide for setting up a new trial account for Certificate Manager. You'll also have access to SSH Professional, Devices, and Workloads.

      Overview

      STEP 1 - CREATE A SMALLSTEP TEAM

      Creating a team gives you access to Smallstep's products. Click here to create a team. You will be asked to provide:

      • Team Name - Usually, this is your company name.
      • Team URL - This is where you will access the smallstep dashboard and will also be the base domain for the CA URL for any Authorities you create.
      • First & Last Name - Smallstep Team administrator's name.
      • E-mail - Smallstep Team administrator's e-mail address.
      • Password - This password is used to log into the Smallstep dashboard
      • Smallstep team admins can subscribe to and manage Smallstep products.

      STEP 2 - CREATE AN AUTHORITY

      A Certificate Manager Authority is an online CA that authenticates and authorizes certificate requests. It can issue, renew, and revoke your x.509 TLS certificates. To create an Authority:

      • Log into the Smallstep dashboard, select the Certificate Manager tab, and click the "Add Authority" button.
      • Choose "Create a new hosted Authority".
      • Give your Authority a name and subdomain value (the URL path you wish to use for your online CA).
      • Choose "Create" Behind the scenes, Certificate Manager creates a new root and an online intermediate CA, storing the private keys in Google's Cloud KMS.
      • On the Authority detail page, you will see the CA URL and Fingerprint used to interact with your CA.

      Certificate Manager also creates a default provisioner called authority-admin, connected to your Smallstep login. You can use this provisioner to administer the Authority and to get certificates. See basic certificate operations for examples.

      An authority super admin account is also created, using your e-mail address as the admin name/subject. The super admin can manage other authority admins.

      STEP 3 - INSTALL step

      To interact with Certificate Manager, you will need our step CLI command on your local machine. step acts as a front-end interface to Certificate Manager and is used for many common cryptography and X.509 operations. 


      MacOS

      Install step via Homebrew:

      brew install step

      To uninstall, run `brew uninstall step` and remove the $HOME/.step configuration directory.


      LINUX PACKAGES (AMD64)

      Debian Linux

      Download and install the Debian package from our latest release:

      wget https://dl.step.sm/gh-release/cli/docs-cli-install/v0.23.1/step-cli_0.23.1_amd64.deb

      sudo dpkg -i step-cli_0.23.1_amd64.deb

      To uninstall, run `sudo dpkg -r step-cli` and remove the $HOME/.step configuration directory.

      RedHat

      Download and install the RPM package from our latest release:

      wget https://dl.step.sm/gh-release/cli/docs-ca-install/v0.23.1/step-cli_0.23.1_amd64.rpm

      sudo rpm -i step-cli_0.23.1_amd64.rpm

      To uninstall, run `sudo dnf remove step-cli` and remove the $HOME/.step configuration directory.

      WINDOWS

      Install step via scoop package manager

      scoop bucket add smallstep https://github.com/smallstep/scoop-bucket.git

      scoop install smallstep/step

      To uninstall, run Scoop remove step and remove the $HOME/.step configuration directory.


      Install manually

      Download the Windows binary from our latest releases page and install it using PowerShell.


      Open PowerShell and run the following:

      curl.exe -LO https://dl.step.sm/gh-release/cli/docs-cli-install/v0.23.1/step_windows_0.23.1_amd64.zip

      Expand-Archive -LiteralPath .\step_windows_0.23.1_amd64.zip -DestinationPath .

      step_0.23.1\bin\step.exe version

      Finally, move the step.exe binary wherever you'd like it to into a location in your user's PATH.


      TESTING YOUR INSTALLATION

      $ step certificate inspect https://smallstep.com

      Certificate:

          Data:

              Version: 3 (0x2)

              Serial Number: 326381749415081530968054238478851085504954 (0x3bf265673332db2d0c70e48a163fb7d11ba)

          Signature Algorithm: SHA256-RSA

              Issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3

              Validity

                  Not Before: Feb 8 13:07:44 2019 UTC

                  Not After : May 9 13:07:44 2019 UTC

              Subject: CN=smallstep.com

      [...]

      STEP 4 - CONFIGURE YOUR CLIENT

      Certificate Manager authorities are administered using the step CLI command. To connect your local client with the hosted Authority, you need to bootstrap into the PKI. Run the following command, substituting the values from your Authority's properties:

      $ step ca bootstrap --ca-url [YOUR CA URL] --fingerprint [YOUR AUTHORITY FINGERPRINT]

      (You can always find this command in the Quick Actions section on your authority page.)

      This command will download the CA Root certificate and configure your local step client to interact with the Authority.

      If desired, you can also use the step CLI to install the CA Root certificate to your system's trust store.

      🎉 You're now ready to build out your environment.