Dependencies
- Smallstep Platform
- VM(s) for registration authority instance(s) with externally-routable DNS
- ACME client with DNS routed for testing
- step (on VM)
- step-ca (on VM)
- kubectl
- KOTS
Smallstep Platform Update
To complete the installation, we'll need to be on the latest Beta channel release of the Smallstep Platform.
Your Smallstep representative will need to ensure that your license is set appropriately in our systems. If not, they will send you a new license file to add to your admin-console in KOTS.
In the Version History tab, check for the latest update and deploy it:
kubectl config use-context <your-context> kubectl kots admin-console --namespace smallstep
Certificate Manager CA Provisioner
When operating a registration authority, the RA must be able to request certificates from the managed CA. We'll configure the CA with a JWK provisioner for use by the RA. The RA itself will have its own provisioner(s) for clients it services.
Enter admin-tools:
kubectl config use-context <your-context> kubectl exec -it -n smallstep deploy/admin-tools -- bash
Create a keypair that will be used in the JWK provisioner (escrowed by the CA). Save the provisioner password in a safe place for use by the RA(s).
step crypto jwk create jwk.pub jwk.priv
In admin-tools, create a new JWK provisioner (the values in the following code blocks are simply examples - please customize these to your needs as desired):
manage-provisioners --type JWK --name "ra@your-company.com" \ --authority "certs.ca.smallstep.your-company.com" \ --public-key "jwk.pub" --private-key "jwk.priv" \ --duration "240h" --max-duration "720h" \ add
Now you can safely delete the created keys:
rm jwk.pub jwk.priv
RA Installation
Install the latest version of step-ca using the appropriate build from:
https://github.com/smallstep/certificates/releases/tag/v0.18.1
On the VM that will host your registration authority, configure a step-ca instance in RA mode with an ACME provisioner.
Save the following as /etc/step-ca/config/ca.json:
{
"address":":443",
"dnsNames":[
"smallstep-ra01.your-company.com"
],
"db":{
"type":"badger",
"dataSource":"/etc/step-ca/db"
},
"logger":{
"format":"json"
},
"authority":{
"type":"stepcas",
"certificateAuthority":"https://certs.ca.smallstep.your-company.com",
"certificateAuthorityFingerprint":"your-certificate-authority-fingerprint",
"certificateIssuer":{
"type":"jwk",
"provisioner":"ra@your-company.com"
},
"provisioners":[
{
"type":"ACME",
"name":"acme",
"claims":{
"defaultTLSCertDuration":"240h",
"maxTLSCertDuration":"720h"
}
}
]
},
"tls":{
"cipherSuites":[
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion":1.2,
"maxVersion":1.3,
"renegotiation":false
}
}Use a secrets manager or whatever process best suits your organization to store the provisioner password in /etc/step-ca/password.txt.
Start step-ca:
step-ca --issuer-password-file /etc/step-ca/password.txt /etc/step-ca/config/ca.json
For a longer-term approach to running step-ca refer to systemd daemon instructions.
Test
Test certificate issuance with step:
step ca bootstrap --ca-url https://ra01.your-company.com --fingerprint your-certificate-authority-fingerprint step ca certificate localhost local.crt local.key
Test certificate issuance from your ACME test client.