The following environment variables are available for CA configuration:
DOCKER_STEPCA_INIT_NAME (required) the name of your CA—this will be the issuer of your CA certificates
DOCKER_STEPCA_INIT_DNS_NAMES (required) the hostname(s) or IPs that the CA will accept requests on
DOCKER_STEPCA_INIT_PROVISIONER_NAME a label for the initial admin (JWK) provisioner. Default: "admin"
DOCKER_STEPCA_INIT_SSH set this to a non-empty value to create an SSH CA
DOCKER_STEPCA_INIT_PASSWORD specify a password for the encrypted CA keys and the default CA provisioner. A password is generated by default. Note: In a production environment, a more secure option for specifying a password is to use the manual installation process, below.
Once step-ca is running, the CA's URL and SHA256 fingerprint are all clients need to bootstrap with the CA.
Let's bootstrap the step client. Run:
CA_FINGERPRINT=$(docker run -v step:/home/step smallstep/step-ca step certificate fingerprint certs/root_ca.crt)
step ca bootstrap --ca-url https://localhost:9000 --fingerprint $CA_FINGERPRINT
The root certificate has been saved in /Users/alice/.step/certs/root_ca.crt.
Your configuration has been saved in /Users/alice/.step/config/defaults.json.
Your CA is ready for use. You can view your CA password via:
docker run -v step:/home/step smallstep/step-ca cat secrets/password
1. Pull down the Docker image
Get the latest version of step-ca
docker pull smallstep/step-ca
2. Bring up PKI bootstrapping container
The Docker volume step will hold your CA configuration, keys, and database.
docker run -it -v step:/home/step smallstep/step-ca step ca init
The init command will step you through the bootstrapping process. Example output:
✔ What would you like to name your new PKI? (e.g. Smallstep): Smallstep
✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,220.127.116.11,etc.]): localhost
✔ What address will your new CA listen at? (e.g. :443): :9000
✔ What would you like to name the first provisioner for your new CA? (e.g. email@example.com): firstname.lastname@example.org
✔ What do you want your password to be? [leave empty and we'll generate one]:
Generating root certificate...
Generating intermediate certificate...
✔ Root certificate: /home/step/certs/root_ca.crt
✔ Root private key: /home/step/secrets/root_ca_key
✔ Root fingerprint: 86a278f34e58c7ab04313aff0e8e5114f1d1da955ecb20412b3d32cc2267ddcd
✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/step/secrets/intermediate_ca_key
✔ Database folder: /home/step/db
✔ Default configuration: /home/step/config/defaults.json
✔ Certificate Authority configuration: /home/step/config/ca.json
Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.
Save the root fingerprint value! You'll need it for client bootstrapping.
3. Place the PKI root password in a known safe location.
The image is expecting the password to be placed in /home/step/secrets/password. Bring up the shell prompt in the container again and write that file:
docker run -it -v step:/home/step smallstep/step-ca sh
Inside your container, write the file into the expected location:
When you run step-ca on a Raspberry Pi, you might get the following error in
your container logs:
step-ca | badger 2021/05/08 20:13:12 INFO: All 0 tables opened in 0s
step-ca | Error opening database of Type badger with source /home/step/db: error opening Badger database: Mmap value log file. Path=/home/step/db/000000.vlog. Error=cannot allocate memory
To fix it, edit the db configuration block in the file config/ca.json.
docker run -v step:/home/step -it smallstep/step-ca vi /home/step/config/ca.json
Change the value of badgerFileLoadingMode from "" to "FileIO".