Dependencies

  • Smallstep Platform
  • VM(s) for registration authority instance(s) with externally-routable DNS
  • ACME client with DNS routed for testing
  • step (on VM)
  • step-ca (on VM)
  • kubectl
  • KOTS


Smallstep Platform Update

To complete the installation, we'll need to be on the latest Beta channel release of the Smallstep Platform.


Your Smallstep representative will need to ensure that your license is set appropriately in our systems. If not, they will send you a new license file to add to your admin-console in KOTS.


In the Version History tab, check for the latest update and deploy it:

kubectl config use-context <your-context>
kubectl kots admin-console --namespace smallstep

Certificate Manager CA Provisioner

When operating a registration authority, the RA must be able to request certificates from the managed CA. We'll configure the CA with a JWK provisioner for use by the RA. The RA itself will have its own provisioner(s) for clients it services.


Enter admin-tools:

kubectl config use-context <your-context>
kubectl exec -it -n smallstep deploy/admin-tools -- bash

Create a keypair that will be used in the JWK provisioner (escrowed by the CA). Save the provisioner password in a safe place for use by the RA(s).

step crypto jwk create jwk.pub jwk.priv

In admin-tools, create a new JWK provisioner (the values in the following code blocks are simply examples - please customize these to your needs as desired):

manage-provisioners --type JWK --name "ra@your-company.com" \
  --authority "certs.ca.smallstep.your-company.com" \
  --public-key "jwk.pub" --private-key "jwk.priv" \
  --duration "240h" --max-duration "720h" \
  add

Now you can safely delete the created keys:


rm jwk.pub jwk.priv

RA Installation

Install the latest version of step-ca using the appropriate build from:


https://github.com/smallstep/certificates/releases/tag/v0.18.1


On the VM that will host your registration authority, configure a step-ca instance in RA mode with an ACME provisioner.


Save the following as /etc/step-ca/config/ca.json:

{
   "address":":443",
   "dnsNames":[
      "smallstep-ra01.your-company.com"
   ],
   "db":{
      "type":"badger",
      "dataSource":"/etc/step-ca/db"
   },
   "logger":{
      "format":"json"
   },
   "authority":{
      "type":"stepcas",
      "certificateAuthority":"https://certs.ca.smallstep.your-company.com",
      "certificateAuthorityFingerprint":"your-certificate-authority-fingerprint",
      "certificateIssuer":{
         "type":"jwk",
         "provisioner":"ra@your-company.com"
      },
      "provisioners":[
         {
            "type":"ACME",
            "name":"acme",
            "claims":{
               "defaultTLSCertDuration":"240h",
               "maxTLSCertDuration":"720h"
            }
         }
      ]
   },
   "tls":{
      "cipherSuites":[
         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
      ],
      "minVersion":1.2,
      "maxVersion":1.3,
      "renegotiation":false
   }
}

Use a secrets manager or whatever process best suits your organization to store the provisioner password in /etc/step-ca/password.txt.


Start step-ca:

step-ca --issuer-password-file /etc/step-ca/password.txt /etc/step-ca/config/ca.json

For a longer-term approach to running step-ca refer to systemd daemon instructions.


Test

Test certificate issuance with step:

step ca bootstrap --ca-url https://ra01.your-company.com --fingerprint your-certificate-authority-fingerprint
step ca certificate localhost local.crt local.key

Test certificate issuance from your ACME test client.