Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux

#ACME #LetsEncrypt #SSL #StepCA

*** Updated 08/11/2023

Full steps can be found at https://i12bretro.github.io/tutorials...

What is Step-CA?
[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. - https://github.com/smallstep/certific...
 
Installing Step-CA and Step-CLI
   01. Log into the Linux device
   02. Run the following commands in a terminal
         update software repositories
         sudo apt update
         install available software updates
         sudo apt upgrade -y
         install prerequisites
         sudo apt install curl wget -y
         clean up downloaded apt files
         sudo apt clean
         lookup latest steps-ca release URL
         regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallste...) && [[ $response =~ $regex ]] && downloadURL="${BASH_REMATCH[1]}"
         download steps-ca server
         wget -O ./steps-ca.deb $downloadURL
         install steps-ca server
         sudo dpkg -i ./steps-ca.deb
         lookup latest steps-cli release URL
         regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallste...) &&
&& downloadURL="${BASH_REMATCH[1]}"
         download steps-cli client
         wget -O ./steps-cli.deb $downloadURL
         install steps-cli client
         sudo dpkg -i ./steps-cli.deb
         create the /etc/step-ca directory
         sudo mkdir /etc/step-ca
         elevate to root user
         sudo su
         set the step-ca path
         export STEPPATH=/etc/step-ca
 
Initialize A New Certificate Authority
Continue with the following commands in a terminal
initilize a CA
step ca init
   01. Select standalone ≫ press Enter
   02. Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] ≫ Press Enter
   03. Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] ≫ Press Enter
   04. Enter the port for Step-CA to listen on [ie :8443] ≫ Press Enter
   05. Enter a first provisioner e-mail address [ie [email protected]] ≫ Press Enter
   06. Enter a password for the CA or leave it blank to have a password generated ≫ Press Enter
 
Installing Step-CA Service/Daemon
Continue with the following commands in a terminal
add ACME provisioner
step ca provisioner add acme --type ACME
exit root shell
exit
create password.txt, replace with the CA password
echo '$YourCAPassword!!' | sudo tee -a /etc/step-ca/password.txt ≫ /dev/null
create step-ca user
sudo useradd --system --home /etc/step-ca --shell /bin/false step-ca
set ownership of /etc/step-ca
sudo chown step-ca:step-ca /etc/step-ca -R
limit permissions on the password.txt file
sudo chmod 400 /etc/step-ca/password.txt
create step-ca log directory
sudo mkdir /var/log/step-ca -p
set ownership of step-ca logs
sudo chown step-ca:step-ca /var/log/step-ca -R
edit the ca configuration
sudo nano /etc/step-ca/config/ca.json
   01. By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed
         "claims": {
         "maxTLSCertDuration":"26280h",
         "defaultTLSCertDuration":"8760h"
         },
   02. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
   03. Continue with the following commands in a terminal
create service file
sudo nano /etc/systemd/system/step-ca.service
   04. Paste the following configuration into step-ca.service
[Unit]
Description=step-ca service
After=network.target
StartLimitIntervalSec=0
 
         [Service]
         Type=simple
         Restart=always
         RestartSec=1
         User=step-ca
         Group=step-ca
         Environment=STEPPATH=/etc/step-ca
         ExecStart=/bin/sh -c "/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt ≫≫ /var/log/step-ca/step-ca.log 2≫&1"
         [Install]
         WantedBy=multi-user.target
   05. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
   06. Continue with the following commands to enable and start the service:
reload systemd services
sudo systemctl daemon-reload
start step-ca service on boot and now
sudo systemctl enable step-ca --now
 
Automating Certificate Requests


....Full steps can be found on GitHub [link at the top]


Connect with me and others ###
★ Discord:   / discord  
★ Reddit:   / i12bretro  
★ Twitter:   / i12bretro