Self-Hosted ACME (Automated Certificate Management Environment) Server with Step-CA on Linux

What is Step-CA?

[Step-CA is] a private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH. -https://github.com/smallstep/certificates

Installing Step-CA and Step-CLI

  1. Log into the Linux device
  2. Run the following commands in a terminal
    # update software repositories
    sudo apt update
    # install available software updates
    sudo apt upgrade -y
    # install prerequisites
    sudo apt install curl wget -y
    # clean up downloaded apt files
    sudo apt clean
    # lookup latest steps-ca release URL
    regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) && [[ $response =~ $regex ]] && downloadURL="${BASH_REMATCH[1]}"
    # download steps-ca server
    wget -O ./steps-ca.deb $downloadURL
    # install steps-ca server
    sudo dpkg -i ./steps-ca.deb
    # lookup latest steps-cli release URL
    regex='"browser_download_url": "(https:\/\/github.com\/smallstep\/cli\/releases\/download\/[^/]*\/step-cli_[^/]*amd64\.deb)"' && response=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/smallstep/cli/releases/latest) && && downloadURL="${BASH_REMATCH[1]}"
    # download steps-cli client
    wget -O ./steps-cli.deb $downloadURL
    # install steps-cli client
    sudo dpkg -i ./steps-cli.deb
    # create the /etc/step-ca directory
    sudo mkdir /etc/step-ca
    # elevate to root user
    sudo su
    # set the step-ca path
    export STEPPATH=/etc/step-ca

Initialize A New Certificate Authority

  1. Continue with the following commands in a terminal
    # initilize a CA
    step ca init
  2. Select standalone > press Enter
  3. Enter a name for the PKI/Certificate Authority [ie i12bretro Certificate Authority] > Press Enter
  4. Enter the IP address and/or DNS name of the Step-CA host [ie debian.i12bretro.local,192.168.0.57] > Press Enter
  5. Enter the port for Step-CA to listen on [ie :8443] > Press Enter
  6. Enter a first provisioner e-mail address [ie i12bretro@i12bretro.local] > Press Enter
  7. Enter a password for the CA or leave it blank to have a password generated > Press Enter

Installing Step-CA Service/Daemon

  1. Continue with the following commands in a terminal
    # add ACME provisioner
    step ca provisioner add acme --type ACME
    # exit root shell
    exit
    # create password.txt, replace with the CA password
    echo '$YourCAPassword!!' | sudo tee -a /etc/step-ca/password.txt > /dev/null
    # create step-ca user
    sudo useradd --system --home /etc/step-ca --shell /bin/false step-ca
    # set ownership of /etc/step-ca
    sudo chown step-ca:step-ca /etc/step-ca -R
    # limit permissions on the password.txt file
    sudo chmod 400 /etc/step-ca/password.txt
    # create step-ca log directory
    sudo mkdir /var/log/step-ca -p
    # set ownership of step-ca logs
    sudo chown step-ca:step-ca /var/log/step-ca -R
    # edit the ca configuration
    sudo nano /etc/step-ca/config/ca.json
  2. By default, step-ca certificates are only valid for 24 hours. To adjust this, paste the following inside each of the provisioners sections of the ca.json configuration file and adjust the values as needed

    "claims": {
    "maxTLSCertDuration":"26280h",
    "defaultTLSCertDuration":"8760h"
    },

  3. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
  4. Continue with the following commands in a terminal
    # create service file
    sudo nano /etc/systemd/system/step-ca.service
  5. Paste the following configuration into step-ca.service

    [Unit]
    Description=step-ca service
    After=network.target
    StartLimitIntervalSec=0

    [Service]
    Type=simple
    Restart=always
    RestartSec=1
    User=step-ca
    Group=step-ca
    Environment=STEPPATH=/etc/step-ca
    ExecStart=/bin/sh -c "/usr/bin/step-ca ${STEPPATH}/config/ca.json --password-file=${STEPPATH}/password.txt >> /var/log/step-ca/step-ca.log 2>&1"

    [Install]
    WantedBy=multi-user.target

  6. Press CTRL+O, Enter, CTRL+X to write the changes and close nano
  7. Continue with the following commands to enable and start the service:
    # reload systemd services
    sudo systemctl daemon-reload
    # start step-ca service on boot and now
    sudo systemctl enable step-ca --now

Automating Certificate Requests

  1. Log into the server needing to request a certificate
  2. Continue following commands in a terminal window
    # copy the step-ca root certificate to trusted certs
    sudo cp /etc/step-ca/certs/root_ca.crt /usr/local/share/ca-certificates/
    # copy the step-ca intermediate certificate to trusted certs
    sudo cp /etc/step-ca/certs/intermediate_ca.crt /usr/local/share/ca-certificates/
    # update ca certs
    sudo update-ca-certificates
    # remove apt version of certbot if installed
    sudo apt remove certbot -y
    # install snapd
    sudo apt install snapd -y
    # install snap core and update
    sudo snap install core; sudo snap refresh core
    # install certbot snap
    sudo snap install --classic certbot
    # create certbot symbolic link
    sudo ln -s /snap/bin/certbot /usr/bin/certbot
    # request the certificate
    sudo REQUESTS_CA_BUNDLE=/etc/step-ca/certs/root_ca.crt certbot certonly --standalone -d <%host%> --server https://<%step-ca-host%>:<%step-ca-port%>/acme/acme/directory
  3. When prompted, enter an email address and agree to the terms of service
  4. Choose whether to share your email and receive emails from certbot
  5. Certbot will output information regarding the location of the certificate files

Sources: https://smallstep.com/docs/step-ca/installation
https://certbot.eff.org/instructions?ws=other&os=debianbuster
https://smallstep.com/docs/tutorials/acme-challenge/