TrueCloudLab/certificates
17
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Add RHEL/Centos install docs and a section on systemctl config

Browse source
This commit is contained in:
max furman 2020-06-15 20:19:44 -07:00
parent 2d45f61987
commit aaec9931f4
2 changed files with 57 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
README.md
View file

@ -177,23 +177,20 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
#### RHEL/CentOS #### RHEL/CentOS
There are a few subtle yet important things to getting this setup, at the time of this writing the package cannot be installed via yum (its a feature request). So this is how we setup this on RHEL following some best practices. 1. [Optional] Install `step`.
1. [Required] Install `step`. Download the latest Linux tarball from
Download the latest Linux package from
[`step` releases](https://github.com/smallstep/cli/releases): [`step` releases](https://github.com/smallstep/cli/releases):
``` ```
$ wget -O step-cert.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz $ wget -O step-cli.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
``` ```
Install the Package by unzipping in bin: Install `step` by unzipping and copying the executable over to `/usr/bin`:
``` ```
$ tar -xf step.tar.gz $ tar -xf step-cli.tar.gz
$ cd step-_X.Y.Z/bin/ $ sudo cp step_X.Y.Z/bin/step /usr/bin
$ mv step /usr/bin
``` ```
2. Install `step-ca`. 2. Install `step-ca`.
@ -204,58 +201,15 @@ There are a few subtle yet important things to getting this setup, at the time o
$ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz $ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
``` ```
Install the Package by unzipping in bin: Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
``` ```
$ tar -xf step-ca.tar.gz $ tar -xf step-ca.tar.gz
$ cd step-certificates_X.Y.Z/bin/ $ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin
$ mv step-ca /usr/bin
``` ```
3. Now your users can call the step and step-ca commands, create a 'smallstep' user that doesn't have login permitted and will only be used as a service user for systemctl to manage this service. See the [`systemctl` setup section](./docs/GETTING_STARTED.md#systemctl) for a
guide on configuring `step-ca` as a daemon.
```
$ useradd smallstep
$ passwd -l smallstep
```
This creates a home directory for smallstep, as root sudo to the smallstep user, and perform the getting-started steps to setup the CA on this box as that user, we chose to put the password in a file in this example but you can mess with other solutions, we then made this systemctl service file
```
[Unit]
Description=Smallstep
After=syslog.target network.target
[Service]
User=smallstep
Group=smallstep
ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >> /var/log/smallstep/output.log 2>&1'
Type=simple
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
```
This also assumes you want logs going to a log file (we don't have a log rotation strategy at this time, perhaps the community can contribute :)
To setup this, perform the following
```
$ mkdir /var/log/smallstep
$ chown -R smallstep:smallstep /var/log/smallstep
```
Then do the following to startup the service.
```
$ systemctl status smallstep
$ systemctl enable smallstep (startup on reboot automatically)
$ systemctl start smallstep
```
If you have issues, you can debug by grabbing the execStart command from systemctl, sudo to smallstep, and start seeing what it is complaining about.
### Kubernetes ### Kubernetes

47
docs/GETTING_STARTED.md
View file

@ -203,6 +203,49 @@ export STEPPATH=$(step path)
step-ca $STEPPATH/config/ca.json step-ca $STEPPATH/config/ca.json
``` ```
### Systemctl
Consider adding a service user that will only be used by `systemctl` to manage
the service.
```
$ useradd step
$ passwd -l step
```
Use the following example as a base for your `systemctl` service file:
```
[Unit]
Description=step-ca
After=syslog.target network.target
[Service]
User=smallstep
Group=smallstep
ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >> /var/log/smallstep/output.log 2>&1'
Type=simple
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
```
The following are a few example commands you can use to check the status,
enable on restart, and start your `systemctl` service.
```
# Check the current status of the `step-ca` service
$ systemctl status step-ca
# Configure the `step-ca` process to startup on reboot automatically
$ systemctl enable step-ca
# Start the `step-ca` service.
$ systemctl start smallstep
```
## Configure Your Environment ## Configure Your Environment
**Note**: Configuring your environment is only necessary for remote servers **Note**: Configuring your environment is only necessary for remote servers
@ -442,7 +485,9 @@ types of certs. Each of these provisioners must have unique keys.
## Use Custom Claims for Provisioners to Control Certificate Validity etc ## Use Custom Claims for Provisioners to Control Certificate Validity etc
It's possible to configure provisioners on the CA to issue certs using properties specific to their target environments. Most commonly different validity periods and disabling renewals for certs. Here's how: It's possible to configure provisioners on the CA to issue certs using
properties specific to their target environments. Most commonly different
validity periods and disabling renewals for certs. Here's how:
```bash ```bash
$ step ca init $ step ca init