How to Set Up and Use Step-ca and Certbot Locally
Introduction
A local installation of a private PKI can be useful to understand the tooling used, and to develop and test routines and automation
for issuing, renewing and deploying certificates. For instance, your company might use certbot to issue and renew certificates
using ACME against your own CA, or a public CA like Sectigo or Let’s Encrypt. The server where certbot is used is hopefully
locked down and you might not have access, so a local installation is practical.
In this post I show how you can install and use step-ca and certbot locally on your Linux machine (Manjaro in my case) to issue private certificates.
The main resources I used are listed at the end of this article.
step-ca
Install step-ca and step-cli, and create a symlink for step:
sudo pacman -S step-cli step-ca
sudo ln -s /usr/bin/step-cli /usr/local/bin/stepWe’re going to set up a CA for the internal domain, where the CA is reachable at ca.internal.
Initialize step-ca, adding the acme provider:
step ca init --acme
✔ Deployment Type: Standalone
What would you like to name your new PKI?
✔ (e.g. Smallstep): Example
What DNS names or IP addresses will clients use to reach your CA?
✔ (e.g. ca.example.com[,10.1.2.3,etc.]): ca.internal
What IP and port will your new CA bind to? (:443 will bind to 0.0.0.0:443)
✔ (e.g. :443 or 127.0.0.1:443): :443
What would you like to name the CA's first provisioner?
✔ (e.g. you@smallstep.com): michael@example.com
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]:
Generating root certificate... done!
Generating intermediate certificate... done!
✔ Root certificate: /home/michael/.step/certs/root_ca.crt
✔ Root private key: /home/michael/.step/secrets/root_ca_key
✔ Root fingerprint: 25b5161fad15c05a4b4803eb98bcf1941eb31bc5075794942f928dc9c06540d2
✔ Intermediate certificate: /home/michael/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/michael/.step/secrets/intermediate_ca_key
✔ Database folder: /home/michael/.step/db
✔ Default configuration: /home/michael/.step/config/defaults.json
✔ Certificate Authority configuration: /home/michael/.step/config/ca.json
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.Add ca.internal to your /etc/hosts/ file:
127.0.0.1 ca.internalStart step-ca using:
sudo step-ca $(step path)/config/ca.jsoncertbot
Install certbot using
sudo pacman -S certbotWe want to generate a certificate for foo.internal.
Add this host to /etc/hosts:
127.0.0.1 foo.internalRequest the certificate with the following command:
sudo REQUESTS_CA_BUNDLE=$(step path)/certs/root_ca.crt \
certbot certonly -n --standalone -d foo.internal \
--server https://ca.internal/acme/acme/directory \
--agree-tos --email michael@example.comAs the root certificate is self-signed, REQUESTS_CA_BUNDLE is required. The certificate should not be installed anywhere, hence
certonly. -d specifes the domain for the certificate, and --server the step-ca server configured in the previous step. We
don’t want to interact and accept the terms of service automatically using --accept-tos and --email.
The output is
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for foo.internal
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/foo.internal/fullchain.pem
Key is saved at: /etc/letsencrypt/live/foo.internal/privkey.pem
This certificate expires on 2024-06-30.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but
you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.And we’re done :-)