Table of Contents
medAL-hub Self-signed Certificates with Step-ca Setup
Purpose and Scope
In this page, you will learn how to generate self-signed certificates with step-ca.
Prerequisite
You should have setup a Raspberry Pi to work as a medAL-hub. See the documentation here.
Step-ca Installation
Run the following commands to install step-ca:
wget https://github.com/smallstep/cli/releases/download/v0.15.14/step-cli_0.15.14_amd64.deb sudo dpkg -i step-cli_0.15.14_amd64.deb wget https://github.com/smallstep/certificates/releases/download/v0.15.11/step-ca_0.15.11_amd64.deb sudo dpkg -i step-ca_0.15.11_amd64.deb
Generating Certificates
Certificate Authority Setup
Run the command:
step ca init
Then, answer the questions that appear. The domain name is the CA server domain name, not the domain name of the hub. Make sure to remember the password, it will be required for generating the certificates.
What would you like to name your new PKI? ✔ (e.g. Smallstep): Dynamic What DNS names or IP addresses would you like to add to your new CA? ✔ (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost What IP and port will your new CA bind to? ✔ (e.g. :443 or 127.0.0.1:4343): :4343 What would you like to name the CA's first provisioner? ✔ (e.g. you@smallstep.com): user@domain.com Choose a password for your CA keys and first provisioner. ✔ [leave empty and we'll generate one]: Generating root certificate... ✔ Would you like to overwrite /home/benoit/.step/certs/root_ca.crt [y/n]: y all done! Generating intermediate certificate... ✔ Would you like to overwrite /home/benoit/.step/certs/intermediate_ca.crt [y/n]: y all done! ✔ Root certificate: /home/benoit/.step/certs/root_ca.crt ✔ Root private key: /home/benoit/.step/secrets/root_ca_key ✔ Root fingerprint: 03ecbe0245aa0b072d1141e574742953fe771fc33318555dba7d50d799d1b4d0 ✔ Intermediate certificate: /home/benoit/.step/certs/intermediate_ca.crt ✔ Intermediate private key: /home/benoit/.step/secrets/intermediate_ca_key ✔ Would you like to overwrite /home/benoit/.step/config/ca.json [y/n]: y ✔ Would you like to overwrite /home/benoit/.step/config/defaults.json [y/n]: y ✔ Database folder: /home/benoit/.step/db ✔ Default configuration: /home/benoit/.step/config/defaults.json ✔ Certificate Authority configuration: /home/benoit/.step/config/ca.json Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
After this step, a file root_ca.crt
is created in the working directory. This is the certificate that must be added to the trust store of each client device.
Before we launch the server, we have to make changes in ~/.step/config/ca.json
:
sudo nano ~/.step/config/ca.json
We can set the values maxTLSCertDuration
and defaultTLSCertDuration
to values that match our needs:
"authority": { "provisioners": [ { "type": "JWK", "name": "benoit-leo.maillard@unisante.ch", "key": { ... }, "encryptedKey": "...", "claims": { "minTLSCertDuration": "5s", "maxTLSCertDuration": "200000h", "defaultTLSCertDuration": "200000h", "disableRenewal": true } } ] },
Generating the Server Certificate and Key
We can now launch the CA server:
step-ca $(step path)/config/ca.json
We can now request a certificate (this command should be run in a new terminal tab). This commands creates two files, srv.crt
and srv.key
. This is the certificate/key combination that will need to be referenced in the nginx configuration.
step ca certificate <medalhub-ip> srv.crt srv.key