====== medAL-hub Self-signed Certificates with Step-ca Setup ======
===== Purpose and Scope =====
In this page, you will learn how to generate self-signed certificates with step-ca.
===== Prerequisite =====
You should have setup a Raspberry Pi to work as a medAL-//hub//. See the documentation [[setup|here]].
===== Step-ca Installation =====
Run the following commands to install step-ca:
wget https://github.com/smallstep/cli/releases/download/v0.15.14/step-cli_0.15.14_amd64.deb
sudo dpkg -i step-cli_0.15.14_amd64.deb
wget https://github.com/smallstep/certificates/releases/download/v0.15.11/step-ca_0.15.11_amd64.deb
sudo dpkg -i step-ca_0.15.11_amd64.deb
===== Generating Certificates =====
==== Certificate Authority Setup ====
Run the command:
step ca init
Then, answer the questions that appear. The domain name is the CA server domain name, not the domain name of the hub. Make sure to remember the password, it will be required for generating the certificates.
What would you like to name your new PKI?
✔ (e.g. Smallstep): Dynamic
What DNS names or IP addresses would you like to add to your new CA?
✔ (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost
What IP and port will your new CA bind to?
✔ (e.g. :443 or 127.0.0.1:4343): :4343
What would you like to name the CA's first provisioner?
✔ (e.g. you@smallstep.com): user@domain.com
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]:
Generating root certificate...
✔ Would you like to overwrite /home/benoit/.step/certs/root_ca.crt [y/n]: y
all done!
Generating intermediate certificate...
✔ Would you like to overwrite /home/benoit/.step/certs/intermediate_ca.crt [y/n]: y
all done!
✔ Root certificate: /home/benoit/.step/certs/root_ca.crt
✔ Root private key: /home/benoit/.step/secrets/root_ca_key
✔ Root fingerprint: 03ecbe0245aa0b072d1141e574742953fe771fc33318555dba7d50d799d1b4d0
✔ Intermediate certificate: /home/benoit/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/benoit/.step/secrets/intermediate_ca_key
✔ Would you like to overwrite /home/benoit/.step/config/ca.json [y/n]: y
✔ Would you like to overwrite /home/benoit/.step/config/defaults.json [y/n]: y
✔ Database folder: /home/benoit/.step/db
✔ Default configuration: /home/benoit/.step/config/defaults.json
✔ Certificate Authority configuration: /home/benoit/.step/config/ca.json
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
After this step, a file ''root_ca.crt'' is created in the working directory. **This is the certificate that must be added to the trust store of each client device.**
Before we launch the server, we have to make changes in ''~/.step/config/ca.json'':
sudo nano ~/.step/config/ca.json
We can set the values ''maxTLSCertDuration'' and ''defaultTLSCertDuration'' to values that match our needs:
"authority": {
"provisioners": [
{
"type": "JWK",
"name": "benoit-leo.maillard@unisante.ch",
"key": {
...
},
"encryptedKey": "...",
"claims": {
"minTLSCertDuration": "5s",
"maxTLSCertDuration": "200000h",
"defaultTLSCertDuration": "200000h",
"disableRenewal": true
}
}
]
},
==== Generating the Server Certificate and Key ====
We can now launch the CA server:
step-ca $(step path)/config/ca.json
We can now request a certificate (this command should be run in a new terminal tab). This commands creates two files, ''srv.crt'' and ''srv.key''. **This is the certificate/key combination that will need to be referenced in the nginx configuration.**
step ca certificate srv.crt srv.key