Linking Step CA Pro with Smallstep and Smallstep RunAnywhere

Existing Step CA Pro instances can be linked to Smallstep or Smallstep RunAnywhere, but any existing artifacts from CA operations (for example, certificates) will not be propagated. Artifacts from operations after the linking is performed will be propagated as normal.

Step CA Pro performs propagation of changes in a resilient manner that can recover from common operational impairments that would make Smallstep or Smallstep RunAnywhere unavailable to the Step CA Pro instance.

Step-by-step Guide

1. Prepare your PKI
   1. For a new authority, run step ca init --name "my-authority" --deployment-type linked, follow the prompts, and save the private key passphrase somewhere safe. Ensure ca.json has the correct configuration for any optional customization, such as HSM support with PKCS#11 URIs for key management.
   1. For existing authorities, ensure you have your ca.json file, your root and any intermediates, and the private key passphrase prepared

1. Create a linked authority in Smallstep or Smallstep RunAnywhere
   1. Under Certificate Manager, click Authorities
   1. Click Add Authority
   1. Click Link a step-ca instance
   1. Choose Pro from the “step-ca Edition” dropdown, and click Next
   1. Copy the token from the step-ca command shown

1. Initialize Step CA Pro
   1. Ensure your database is set up and ready for Step CA Pro, consult the Step CA Pro documentation for details
   1. Ensure you have the token from step #2
   1. step-ca-pro init --name "my-authority" --driver ... --database ... --token ...
   1. Save the generated admin provisioner passphrase somewhere safe

1. Edit the ca.json and add the generated authority ID:

   {
   	"...": "...",
   	"authority": {
   	  "authorityId": "<authority-id>"
   	}
   }

1. Start Step CA Pro
   1. step-ca-pro start --password-file <path-to-private-key-passphrase> --token ... <path-to-ca-json>

1. Use step to interact with your Step CA Pro instance
   1. eg: step ca certificate ...