./security/step-ca [private certificate authority and ACME server]
[+] Add this package to your ports tracker

[ CVSweb ] [ Homepage ] [ RSS feed ]

Version: 0.22.0, Package name: step-ca-0.22.0
Maintained by: The OpenBSD ports mailing-list
Master sites:
Description
step-ca is an online certificate authority for secure, automated certificate
management. It's the server counterpart to the step CLI tool.

You can use it to:

- Issue X.509 certificates for your internal infrastructure:
- HTTPS certificates that work in browsers (RFC5280 and CA/Browser Forum
compliance)
- TLS certificates for VMs, containers, APIs, mobile clients, database
connections, printers, wifi networks, toaster ovens...
- Client certificates to enable mutual TLS (mTLS) in your infra. mTLS is an
optional feature in TLS where both client and server authenticate each
other. Why add the complexity of a VPN when you can safely use mTLS over
the public internet?
- Issue SSH certificates:
- For people, in exchange for single sign-on ID tokens
- For hosts, in exchange for cloud instance identity documents
- Easily automate certificate management:
- It's an ACME v2 server
- It has a JSON API
- It comes with a Go wrapper
- ... and there's a command-line client you can use in scripts!

README
+-------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-------------------------------------------------------------------------------

Initialization
==============

Step CA needs to be initialized by the _step-ca user in the
directory ${LOCALSTATEDIR}/step-ca via

# su _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"

Running the service
===================

Step CA needs to be told which config file to load when starting the rcctl
service script by setting the appropriate flags

# rcctl enable step_ca
# rcctl set step_ca flags --config config/ca.json

Add the CA cert to system store
===============================

The default certificate for Step CA is stored in ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
which should be added to the system by appending it to ${SYSCONFDIR}/ssl/cert.pem

# cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >> ${SYSCONFDIR}/ssl/cert.pem

step_ca.rc
#!/bin/ksh

daemon="${LOCALBASE}/bin/step-ca"
daemon_flags="config/ca.json"
daemon_user="_step-ca"
daemon_logger=daemon.info
daemon_execdir="${LOCALSTATEDIR}/step-ca"

. /etc/rc.d/rc.subr

rc_bg=YES

rc_cmd $1


Filesize: 17765.922 KB
Version History (View Complete History)
  • (2022-08-28) Package added to openports.se, version step-ca-0.22.0 (created)
[show/hide] View available PLISTS (Can be a lot of data)