Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux

#ACME #LetsEncrypt #SSL #StepCA

*** Updated 08/11/2023

Full steps can be found at https://i12bretro.github.io/tutorials/0746.html

What is Step-CA?

[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. -[https://github.com/smallstep/certificates](https://github.com/smallstep/certificates)

## Installing Step-CA and Step-CLI

1. Log into the Linux device
2. Run the following commands in a terminal

# update software repositories
sudo apt update
# install available software updates
sudo apt upgrade ‐y
# install prerequisites
sudo apt install curl wget ‐y
# clean up downloaded apt files
sudo apt clean
# lookup latest steps‐ca release URL
regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step‐cli_[^/]*amd64\.deb)"' && response=$(curl ‐H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) && [[ $response =~ $regex ]] && downloadURL="${BASH_REMATCH[1]}"
# download steps‐ca server
wget ‐O ./steps‐ca.deb $downloadURL
# install steps‐ca server
sudo dpkg ‐i ./steps‐ca.deb
# lookup latest steps‐cli release URL
regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step‐cli_[^/]*amd64\.deb)"' && response=$(curl ‐H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) &&&& downloadURL="${BASH_REMATCH[1]}"
# download steps‐cli client
wget ‐O ./steps‐cli.deb $downloadURL
# install steps‐cli client
sudo dpkg ‐i ./steps‐cli.deb
# create the /etc/step‐ca directory
sudo mkdir /etc/step‐ca
# elevate to root user
sudo su
# set the step‐ca path
export STEPPATH=/etc/step‐ca 

Initialize A New Certificate Authority

1. Select standalone > press Enter
2. Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] > Press Enter
3. Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] > Press Enter
4. Enter the port for Step-CA to listen on [ie :8443] > Press Enter
5. Enter a first provisioner e-mail address [ie i12bretro@i12bretro.local] > Press Enter
6. Enter a password for the CA or leave it blank to have a password generated > Press Enter

Installing Step-CA Service/Daemon

1. By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed

"claims": {
"maxTLSCertDuration":"26280h",
"defaultTLSCertDuration":"8760h"
},

2. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
3. Continue with the following commands in a terminal

# create service file
sudo nano /etc/systemd/system/step‐ca.service

4. Paste the following configuration into step-ca.service

   [Unit] Description=step-ca service After=network.target StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=step‐ca
Group=step‐ca
Environment=STEPPATH=/etc/step‐ca
ExecStart=/bin/sh ‐c "/usr/bin/step‐ca ${STEPPATH}/config/ca.json ‐‐password‐file=${STEPPATH}/password.txt >> /var/log/step‐ca/step‐ca.log 2>&1"

[Install]
WantedBy=multi‐user.target

5. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
6. Continue with the following commands to enable and start the service:

# reload systemd services
sudo systemctl daemon‐reload
# start step‐ca service on boot and now
sudo systemctl enable step‐ca ‐‐now

Automating Certificate Requests

....Full steps can be found on GitHub [link at the top]

### Connect with me and others ###
★ Discord: https://discord.com/invite/EzenvmSHW8
★ Reddit: https://reddit.com/r/i12bretro
★ Twitter: https://twitter.com/i12bretro
...
https://www.youtube.com/watch?v=4ET20bCsTX0