-
|
Hey all, I just recently came across step(-ca) and believe it's the solution I'm looking for to get trusted certs on a private network. I tried following the getting started guide on docker and hit a snag on this particular line where you have to bootstrap the step client In my use case, I needed this (everything involving step(-ca)) to be fully self contained in that if an end user has docker installed it's possible to configure the Dockerfiles, config files etc and the docker-compose.yml in a way that allows everything to be launched with For context, I have a webapp and db containers that are fully self contained and launched together via docker-compose. Right now I'm using a self-signed cert and wanted to integrate step(-ca) with my app to get rid of the browser warning. For me, self contained means the only thing that an end user needs to do is install docker and use the docker-compose up command giving them zero overhead/any tedious configurations to do. Is it possible for me to package step(-ca) in a way that allows it to be run from docker-compose without having to install anything else on the host machine? So far the docs read like setting up step on the host is a prerequisite even though I also read it as simply being a client that interacts with the step-ca server. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
@se316 If you look at the entrypoint.sh used by step-ca Dockerfile, you can define a some environment variables, I don't think we have an example for your case, but we have an example here that uses a previously initialized PKI. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your response! Spent about an hour reading the docs initially and looked through the code today, making this all self-provision is a bit beyond me at the moment so I'll need to look into other containerized PKI options that are a bit better documented or have tutorials/examples floating around online. Seeing "PKI" was definitely a nudge in the right direction. |
Beta Was this translation helpful? Give feedback.
-
|
Just an 8 lines example: $ docker-compose up
Creating network "tmp_default" with the default driver
Creating tmp_step-ca.docker_1 ... done
Attaching to tmp_step-ca.docker_1
step-ca.docker_1 |
step-ca.docker_1 | Generating root certificate... done!
step-ca.docker_1 | Generating intermediate certificate... done!
step-ca.docker_1 |
step-ca.docker_1 | ✔ Root certificate: /home/step/certs/root_ca.crt
step-ca.docker_1 | ✔ Root private key: /home/step/secrets/root_ca_key
step-ca.docker_1 | ✔ Root fingerprint: 8302b3f39c1290bfb7e9cb4b6429171db0002ec3042e619652e423c61f47a91e
step-ca.docker_1 | ✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt
step-ca.docker_1 | ✔ Intermediate private key: /home/step/secrets/intermediate_ca_key
step-ca.docker_1 | ✔ Database folder: /home/step/db
step-ca.docker_1 | ✔ Default configuration: /home/step/config/defaults.json
step-ca.docker_1 | ✔ Certificate Authority configuration: /home/step/config/ca.json
step-ca.docker_1 |
step-ca.docker_1 | Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
step-ca.docker_1 |
step-ca.docker_1 | FEEDBACK 😍 🍻
step-ca.docker_1 | The step utility is not instrumented for usage statistics. It does not phone
step-ca.docker_1 | home. But your feedback is extremely valuable. Any information you can provide
step-ca.docker_1 | regarding how you’re using `step` helps. Please send us a sentence or two,
step-ca.docker_1 | good or bad at [email protected] or join GitHub Discussions
step-ca.docker_1 | https://github.com/smallstep/certificates/discussions and our Discord
step-ca.docker_1 | https://u.step.sm/discord.
step-ca.docker_1 | badger 2022/03/30 23:04:57 INFO: All 0 tables opened in 0s
step-ca.docker_1 | 2022/03/30 23:04:57 Serving HTTPS on :9000 ...You will need that fingerprint to bootstrap clients to it. |
Beta Was this translation helpful? Give feedback.
@se316 If you look at the entrypoint.sh used by step-ca Dockerfile, you can define a some environment variables,
DOCKER_STEPCA_INIT_NAME,DOCKER_STEPCA_INIT_DNS_NAMESand optionallyDOCKER_STEPCA_INIT_PROVISIONER_NAME,DOCKER_STEPCA_INIT_PASSWORDandDOCKER_STEPCA_INIT_SSHto automatically initialize step-ca. You can define the ones you need indocker-compose.yamland if the PKI hasn't been initialized, it will create a new one.I don't think we have an example for your case, but we have an example here that uses a previously initialized PKI.