How to Run Your Own Private CA—Get Going with the Smallstep Onboarding Utility
It's not too uncommon to run across a section of security documentation that does one of two things:
- Mentions in passing "you'll need to run your own certificate authority to issue certificates." These articles curb all the why and how details for you to explore elsewhere on your own.
- Presents a series of OpenSSL commands. These pieces tell you how to create keys and issue certificates with varying degrees of detail. But, they often skimp on guidance about how the process fits into your broader ecosystem.
step toolchain seeks to fill the tooling gap in public key infrastructure. It provides a private online CA and a "humanized" command-line interface.
I joined Smallstep recently as a (remote) software engineer working on Web UIs. I found myself in the same boat as a lot of our users. I had a cursory understanding of certificates and PKI concepts. But, I had a weak grasp on how to make this stuff work in a real architecture. I realized my need for a quick-and-dirty resource that could guide me through the main concepts and show me the technology in practice.
Consequently, we’ve designed a new interactive onboarding utility. It does some helpful hand-holding through two key actions: 1) running your own online certificate authority—
step-ca— and 2) connecting two systems in your infrastructure securely through mutual TLS, using certificates from your CA. In the process, you'll receive a high-level view of public key infrastructure.
We hope the utility is a help to some who are eager to get going. We'd appreciate if you'd give it a try. But, most of all, we'd love any feedback on points of confusion or areas that still seem too opaque.
For those who want to dive deep and learn the ins and outs of public key infrastructure, we recommend reading our blog post Everything you should know about certificates and PKI but are too afraid to ask. Move on to the Smallstep Design Document and the docs.