Setting up your own private CA (Certificate Authority) and ACME (Automatic Certificate Management Environment) server can be a good solution for your organizations that need to issue a large number of SSL/TLS certificates. Having your own private CA allows you to have greater control over your certificates and avoid the cost and limitations of using public CAs and it is possible with using Step-ca. Here we are going to see how to setup our own private CA and ACME server using Step-ca.
As we know the most well known ACME service in use today is Let’s Encrypt in fact the world’s largest CA as well. I’m a big fan of all three (ACME, Let’s Encrypt and Certbot), and certainly try use them wherever you can. ACME support in step-ca means you can easily setup our own CA and ACME server to issue certificates to internal services, development, and other pre-production environments.
Install private CA & ACME server using Step-ca
Here are the steps to set up your own private CA and ACME server using step-ca:
Prerequisites:
- sudo privileges.
- Stable internet connection.
First check server OS version then start installation as per OS version:
# egrep '^(VERSION|NAME)=' /etc/os-release
Installation process:
We need to install the Step-ca which can be found on GitHub smallstep/certificates > Releases and step-cli which can be found on GitHub smallstep/cli > Releases. Always try to download latest released.
On Debian based system like Ubuntu or Debian
Step-ca
# cd /tmp && curl -LO https://dl.step.sm/gh-release/certificates/gh-release-header/v0.24.1/step-ca_0.24.1_amd64.deb
# dpkg -i step-ca_0.24.1_amd64.deb
Step-cli
# cd /tmp && curl -LO https://github.com/smallstep/cli/releases/download/v0.24.3/step-cli_0.24.3_amd64.deb
# dpkg -i step-cli_0.24.3_amd64.deb
On RedHat based systems like RHEL or CentOS
Step-ca
# cd /tmp && curl -LO https://github.com/smallstep/certificates/releases/download/v0.24.1/step-ca_0.24.1_amd64.rpm
# rpm -i step-ca_0.24.1_amd64.rpm
Step-cli
# cd /tmp && curl -LO https://github.com/smallstep/cli/releases/download/v0.24.3/step-cli_0.24.3_amd64.rpm
# rpm -i step-cli_0.24.3_amd64.rpm
Configuration of Step-ca
Next create the service file /etc/systemd/system/step-ca.service
# cat <<'EOT' | sudo tee /etc/systemd/system/step-ca.service
[Unit]
Description=step-ca
After=syslog.target network.target
[Service]
ExecStart=/bin/sh -c '/usr/bin/step-ca /root/.step/config/ca.json --password-file=/root/.step/pwd >> /var/log/step-ca.log 2>&1'
Type=simple
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
EOT
Create own CA:
The next step is to create own private CA using following
# step ca init
It will be prompted for following details for the CA:
- What deployment type would you like to configure? – Select Standalone – step-ca instance you run yourself
- What would you like to name your new PKI? (e.g. Smallstep) – Enter an appropriate name for the CA.
- What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]) – Enter the your own domain name or IP of server which you running this on
- What address will your new CA listen at? (e.g. :443) – Enter an appropriate port like :443
- What would you like to name the first Provisioner for your new CA? (e.g. [email protected]) – Give an appropriate email address.
- What do you want your password to be? [leave empty and we’ll generate one] – Either enter an appropriate password, or leave it blank to have one generate for you.
One you’ve done the steps above you will need to create the file /root/.step/pwd and put the password into this file and set the appropriate file permissions on the file:
# vim /root/.step/pwd
# chmod 400 /root/.step/pwd
Using ACME with Step-ca
To enable ACME, simply add an ACME provisioner to your step-ca configuration by running:
# step ca provisioner add acme --type ACME
By default certificate validity is for 24hrs. If you want certificates to be valid for longer than 24 hours, need to modify the file /root/.step/config/ca.json and add the following configuration to the acme section (will extend the lifetime of certificates to 90 days):
# vim /root/.step/config/ca.json
And add bold lines in ACME block be like:
"type": "ACME",
"name": "acme",
"claims": {
"enableSSHCA": true,
"maxTLSCertDuration": "2160h",
"defaultTLSCertDuration": "2160h"
},
Finally you will need to start the stp-ca service and enable it at startup!
# systemctl start step-ca && systemctl enable step-ca
Now ACME server is available on our own domain which we used when creating CA server like : https://<step-host>:<port>/acme/acme/directory
Certbot configuration and Testing:
Next, install amazing tool for certificate management, Certbot from here.
Note: Step-ca only supports the http-01 challenge like Certbot and acme.sh, it can operate in standalone mode or webroot mode.
First grab the root CA certificate from the file /root/.step/certs/root_ca.crt into the system trust store to trust our own root CA certificates:
Debian based systems:
# cp root_ca.crt /usr/local/share/ca-certificates/
# update-ca-certificates
RedHat based systems:
# cp root_ca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust
Its time to get a certificate and test CA and ACME server!
# certbot certonly --standalone -d example.com -d *.example.com --server https://<step-host>:<port>/acme/acme/directory
Where example.com and *.example.com are the domain names which to get the certificate for. <step-host> is the hostname of your step (ACME) server, and <port> is the port number which you configured during setup.
It will first be prompted for an email address to set on the certificate, enter an appropriate email then be prompted to agree the Terms of Service so just agree and lastly prompted for willing to share your information with EFF. This is entirely up to us if we want to share information.
Finally we should have a freshly created certificate and key at location /etc/letsencrypt/live/<domain-name>/
Validate new certificate using:
# certbot certificates
Certbot auto renewal process:
Renew a single certificate using renew with the –cert-name option like
# certbot renew --cert-name <Certificate Name> --server https://<step-host>:<port>/acme/acme/directory
Note: Remember to restart or reload webserver to make use of the new certificate.
Conclusion
STEP-CA and ACME Server are two important tools that help to enhance web security. They provide organizations with complete control over their digital certificates, automate the process of obtaining and renewing SSL/TLS certificates, and ensure strong encryption algorithms to protect the communication channels. By using these tools, organizations can take a proactive approach to web security and protect their sensitive data from cyber threats.