User Tools

Site Tools


medal-hub:step-ca-setup

medAL-hub Self-signed Certificates with Step-ca Setup

Purpose and Scope

In this page, you will learn how to generate self-signed certificates with step-ca.

Prerequisite

You should have setup a Raspberry Pi to work as a medAL-hub. See the documentation here.

Step-ca Installation

Run the following commands to install step-ca:

wget https://github.com/smallstep/cli/releases/download/v0.15.14/step-cli_0.15.14_amd64.deb
sudo dpkg -i step-cli_0.15.14_amd64.deb
wget https://github.com/smallstep/certificates/releases/download/v0.15.11/step-ca_0.15.11_amd64.deb
sudo dpkg -i step-ca_0.15.11_amd64.deb

Generating Certificates

Certificate Authority Setup

Run the command:

step ca init

Then, answer the questions that appear. The domain name is the CA server domain name, not the domain name of the hub. Make sure to remember the password, it will be required for generating the certificates.

What would you like to name your new PKI?
✔ (e.g. Smallstep): Dynamic
What DNS names or IP addresses would you like to add to your new CA?
✔ (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost
What IP and port will your new CA bind to?
✔ (e.g. :443 or 127.0.0.1:4343): :4343
What would you like to name the CA's first provisioner?
✔ (e.g. you@smallstep.com): user@domain.com
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]: 

Generating root certificate... 
✔ Would you like to overwrite /home/benoit/.step/certs/root_ca.crt [y/n]: y
all done!

Generating intermediate certificate... 
✔ Would you like to overwrite /home/benoit/.step/certs/intermediate_ca.crt [y/n]: y
all done!

✔ Root certificate: /home/benoit/.step/certs/root_ca.crt
✔ Root private key: /home/benoit/.step/secrets/root_ca_key
✔ Root fingerprint: 03ecbe0245aa0b072d1141e574742953fe771fc33318555dba7d50d799d1b4d0
✔ Intermediate certificate: /home/benoit/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/benoit/.step/secrets/intermediate_ca_key
✔ Would you like to overwrite /home/benoit/.step/config/ca.json [y/n]: y
✔ Would you like to overwrite /home/benoit/.step/config/defaults.json [y/n]: y
✔ Database folder: /home/benoit/.step/db
✔ Default configuration: /home/benoit/.step/config/defaults.json
✔ Certificate Authority configuration: /home/benoit/.step/config/ca.json

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

After this step, a file root_ca.crt is created in the working directory. This is the certificate that must be added to the trust store of each client device. Before we launch the server, we have to make changes in ~/.step/config/ca.json:

sudo nano ~/.step/config/ca.json

We can set the values maxTLSCertDuration and defaultTLSCertDuration to values that match our needs:

"authority": {
  "provisioners": [
    {
      "type": "JWK",
      "name": "benoit-leo.maillard@unisante.ch",
      "key": {
          ...
      },
      "encryptedKey": "...",
      "claims": {
        "minTLSCertDuration": "5s",
        "maxTLSCertDuration": "200000h",
        "defaultTLSCertDuration": "200000h",
        "disableRenewal": true
      }
    }
  ]
},

Generating the Server Certificate and Key

We can now launch the CA server:

step-ca $(step path)/config/ca.json

We can now request a certificate (this command should be run in a new terminal tab). This commands creates two files, srv.crt and srv.key. This is the certificate/key combination that will need to be referenced in the nginx configuration.

step ca certificate <medalhub-ip> srv.crt srv.key
medal-hub/step-ca-setup.txt · Last modified: 2022/01/10 14:50 by arnaud_poletto