step-ca
private certificate authority and ACME server
WWW CVSWeb GITHub-
Package versionstep-ca-0.25.2
-
MaintainerThe OpenBSD ports mailing-list
step-ca is an online certificate authority for secure, automated certificate
management. It's the server counterpart to the step CLI tool.
You can use it to:
- Issue X.509 certificates for your internal infrastructure:
- HTTPS certificates that work in browsers (RFC5280 and CA/Browser Forum
compliance)
- TLS certificates for VMs, containers, APIs, mobile clients, database
connections, printers, wifi networks, toaster ovens...
- Client certificates to enable mutual TLS (mTLS) in your infra. mTLS is an
optional feature in TLS where both client and server authenticate each
other. Why add the complexity of a VPN when you can safely use mTLS over
the public internet?
- Issue SSH certificates:
- For people, in exchange for single sign-on ID tokens
- For hosts, in exchange for cloud instance identity documents
- Easily automate certificate management:
- It's an ACME v2 server
- It has a JSON API
- It comes with a Go wrapper
- ... and there's a command-line client you can use in scripts!
+-------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-------------------------------------------------------------------------------
Initialization
==============
The step-cli package is required and must be used to initialize Step CA.
Execute the following command as user _step-ca to initialize Step CA.
# su -s /bin/sh _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"
Step CA cannot bind to privileged ports. During initialization select a port
above 1024.
Add the CA cert to system store
===============================
The root certificate for step-ca is stored in ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
which should be added to the system by appending it to ${SYSCONFDIR}/ssl/cert.pem
# cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >> ${SYSCONFDIR}/ssl/cert.pem
- lang/go
- archivers/unzip