Differences

This shows you the differences between two versions of the page.

--- medal-hub-step-ca-setup [2021/12/28 09:32] – arnaud_poletto
+++ medal-hub-step-ca-setup [2022/01/10 14:50] (current) – removed arnaud_poletto
@@ Line 1: / Line 1: @@
-====== medAL-hub Self-signed Certificates with Step-ca Setup ======
-===== Purpose and Scope =====
-In this page, you will learn how to generate self-signed certificates with step-ca.
-===== Prerequisite =====
-You should have setup a Raspberry Pi to work as a medAL-//hub//. See the documentation [[medal-hub-setup|here]].
-===== Step-ca Installation =====
-Run the following commands to install step-ca:
-<code>
-wget https://github.com/smallstep/cli/releases/download/v0.15.14/step-cli_0.15.14_amd64.deb
-sudo dpkg -i step-cli_0.15.14_amd64.deb
-wget https://github.com/smallstep/certificates/releases/download/v0.15.11/step-ca_0.15.11_amd64.deb
-sudo dpkg -i step-ca_0.15.11_amd64.deb
-</code>
-===== Generating Certificates =====
-==== Certificate Authority Setup ====
-Run the command:
-<code>
-step ca init
-</code>
-Then, answer the questions that appear. The domain name is the CA server domain name, not the domain name of the hub. Make sure to remember the password, it will be required for generating the certificates.
-<code>
-What would you like to name your new PKI?
-✔ (e.g. Smallstep): Dynamic
-What DNS names or IP addresses would you like to add to your new CA?
-✔ (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost
-What IP and port will your new CA bind to?
-✔ (e.g. :443 or 127.0.0.1:4343): :4343
-What would you like to name the CA's first provisioner?
-✔ (e.g. you@smallstep.com): user@domain.com
-Choose a password for your CA keys and first provisioner.
-✔ [leave empty and we'll generate one]:
-Generating root certificate...
-✔ Would you like to overwrite /home/benoit/.step/certs/root_ca.crt [y/n]: y
-all done!
-Generating intermediate certificate...
-✔ Would you like to overwrite /home/benoit/.step/certs/intermediate_ca.crt [y/n]: y
-all done!
-✔ Root certificate: /home/benoit/.step/certs/root_ca.crt
-✔ Root private key: /home/benoit/.step/secrets/root_ca_key
-✔ Root fingerprint: 03ecbe0245aa0b072d1141e574742953fe771fc33318555dba7d50d799d1b4d0
-✔ Intermediate certificate: /home/benoit/.step/certs/intermediate_ca.crt
-✔ Intermediate private key: /home/benoit/.step/secrets/intermediate_ca_key
-✔ Would you like to overwrite /home/benoit/.step/config/ca.json [y/n]: y
-✔ Would you like to overwrite /home/benoit/.step/config/defaults.json [y/n]: y
-✔ Database folder: /home/benoit/.step/db
-✔ Default configuration: /home/benoit/.step/config/defaults.json
-✔ Certificate Authority configuration: /home/benoit/.step/config/ca.json
-Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
-</code>
-After this step, a file ''root_ca.crt'' is created in the working directory. This is the certificate that must be added to the trust store of each client device.
-Before we launch the server, we have to make changes in ''~/.step/config/ca.json''. We can set the values ''maxTLSCertDuration'' and ''defaultTLSCertDuration'' to values that match our needs:
-<code>
-sudo nano ~/.step/config/ca.json
-</code>
-<code>
-"authority": {
-  "provisioners": [
-    {
-      "type": "JWK",
-      "name": "benoit-leo.maillard@unisante.ch",
-      "key": {
-          ...
-      },
-      "encryptedKey": "...",
-      "claims": {
-        "minTLSCertDuration": "5s",
-        "maxTLSCertDuration": "200000h",
-        "defaultTLSCertDuration": "200000h",
-        "disableRenewal": true
-      }
-    }
-  ]
-},
-</code>
-Generating the server certificate and key
-We can now launch the CA server
-step-ca $(step path)/config/ca.json
-We can now request a certificate (this command should be run in a new terminal tab). This commands creates two files, srv.crt and srv.key. This is the certificate/key combination that will need to be referenced in the nginx configuration.
-step ca certificate <medalhub-ip> srv.crt srv.key