# PKI the Easy Way
Published 2024-12-24
I've been a systems engineer for over 20 years, but despite this fact, I've always found Public Key Infrastructure to be a bit daunting. My first encounter with PKI was many moons ago, deploying a certificate authority on a Windows Server and occasionally feeding it a certificate signing request to get a certificate back. The tooling wasn't very good and I recall very well how frustrating it was to create a CSR and obtain a certificate for the thing I wanted to secure. Fast forward a few years and once again I found myself needing a certificate authority to secure some internal apps, but this time the solution would be to build and manage a PKI manually using the openssl command-line tool, which is done using a myriad of commands that will cause your brain to explode.
Overall my experience with PKI's hasn't been great, I'd give it a solid 4 out of 10, so when the requirement for a PKI came up again recently, I decided to do some investigation to see what others were doing for their PKI in 2024. I was seeing some good feedback on a product called Small Step CA which i'd not heard of before, and a colleague had also offered it up as a potential solution, so I decided to jump in and take a look.
Mike Malone, the CEO and founder of Step CA, has written a really good blog article on Everything you should know about certificates and PKI but are too afraid to ask. It's a good read if your not fully up to speed on how PKI works.
Smallstep have done a fine job of their documentation and the following is by no means of a replacement for it - These are my condensed notes for provisioning Step CA, which demonstrates how easy it is to get up and running.
Download and install the CLI and CA.
wget https://dl.smallstep.com/cli/docs-ca-install/latest/step-cli_amd64.rpm
sudo rpm -i step-cli_amd64.rpm
wget https://dl.smallstep.com/certificates/docs-ca-install/latest/step-ca_amd64.rpm
sudo rpm -i step-ca_amd64.rpm
Create password files and then initialise the CA. For the --dns parameter, provide a comma separated list of hostnames and IP addresses of the CA server.
echo "super-secret-root-ca-password" > password.txt
echo "super-secret-provisioner-password" > provisioner-password.txt
step ca init \
--name="G9H CA" \
--dns=localhost,ca-01.g9h.lab \
--address=:443 \
--provisioner=ca@g9h.io \
--password-file=password.txt \
--provisioner-password-file=provisioner-password.txt
The step ca init command will output some information about the CA. The fingerprint will be required to connect to the CA remotely, so it's a good idea to take a note of it. It's also worth noting that the default configuration in
At this point the CA has been created, we just need to start the service using the step-ca command. This will run the service in the foreground, but there is good documentation on running step-ca as a daemon for production use.
step-ca $(step path)/config/ca.json \
--password-file=password.txt
Creating a certificate is extremely simple.
step ca certificate demo.g9h.lab g9h.crt g9h.key \
--provisioner-password-file=provisioner-password.txt
It's worth noting that the default maximum lifetime of a certificate is 24 hours, but you can increase it by editing .step/config/ca.json. The philosophy here is that by having shorter lifetimes you essentially have passive revocation, and it limits the need to implement CRL or OCSP.
And then renewing a certificate.
step ca renew g9h.crt g9h.key
Install the root CA certificate into the trust store. For my Rocky Linux server, this copies the CA certificate to /etc/pki/ca-trust/source/anchors
step certificate install $(step path)/certs/root_ca.crt
Remotely connect to the CA server.
step ca bootstrap \
--ca-url [CA URL] \
--fingerprint [CA fingerprint]
Once remotely connected to the CA, we can create and renew certificates easily using the same step commands as documented above. You'll need to provide the provisioner password when creating certificates remotely, or you can use single use tokens.
You can also enable certificate requests and renewals using the ACME protocol by adding a provisioner.
step ca provisioner add acme-example --type ACME
Conclusion
That's pretty much it. I haven't done much more than what is documented here and I'm now serving certificates via ACME to my applications.
Step CA provides a sleek command-line interface for creating and managing a PKI. You'll still need to employ good security practices for securing your private keys, because Step CA can't do everything for you.
Step CA experience so far - A solid 9 out of 10.