diff --git a/README.md b/README.md index f9169da6..832bc881 100644 --- a/README.md +++ b/README.md @@ -126,7 +126,7 @@ Certificate: > Note: If you have installed `step` previously through the `smallstep/smallstep` > tap you will need to run the following commands before installing: -> +> > ``` > $ brew untap smallstep/smallstep > $ brew uninstall step @@ -175,6 +175,43 @@ We are using the [Arch User Repository](https://aur.archlinux.org) to distribute You can use [pacman](https://www.archlinux.org/pacman/) to install the packages. +#### RHEL/CentOS + +1. [Optional] Install `step`. + + Download the latest Linux tarball from + [`step` releases](https://github.com/smallstep/cli/releases): + + ``` + $ wget -O step-cli.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz + ``` + + Install `step` by unzipping and copying the executable over to `/usr/bin`: + + ``` + $ tar -xf step-cli.tar.gz + $ sudo cp step_X.Y.Z/bin/step /usr/bin + ``` + +2. Install `step-ca`. + + Download the latest Linux package from [releases](https://github.com/smallstep/certificates/releases): + + ``` + $ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz + ``` + + Install `step-ca` by unzipping and copying the executable over to `/usr/bin`: + + ``` + $ tar -xf step-ca.tar.gz + $ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin + ``` + +See the [`systemctl` setup section](./docs/GETTING_STARTED.md#systemctl) for a +guide on configuring `step-ca` as a daemon. + + ### Kubernetes We publish [helm charts](https://hub.helm.sh/charts/smallstep/step-certificates) for easy installation on kubernetes: diff --git a/docs/GETTING_STARTED.md b/docs/GETTING_STARTED.md index 44bd8876..156defd3 100644 --- a/docs/GETTING_STARTED.md +++ b/docs/GETTING_STARTED.md @@ -203,6 +203,49 @@ export STEPPATH=$(step path) step-ca $STEPPATH/config/ca.json ``` +### Systemctl + +Consider adding a service user that will only be used by `systemctl` to manage +the service. + +``` +$ useradd step +$ passwd -l step +``` + +Use the following example as a base for your `systemctl` service file: + +``` +[Unit] +Description=step-ca +After=syslog.target network.target + +[Service] + +User=smallstep +Group=smallstep +ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >> /var/log/smallstep/output.log 2>&1' +Type=simple +Restart=on-failure +RestartSec=10 + + +[Install] +WantedBy=multi-user.target +``` + +The following are a few example commands you can use to check the status, +enable on restart, and start your `systemctl` service. + +``` +# Check the current status of the `step-ca` service +$ systemctl status step-ca +# Configure the `step-ca` process to startup on reboot automatically +$ systemctl enable step-ca +# Start the `step-ca` service. +$ systemctl start smallstep +``` + ## Configure Your Environment **Note**: Configuring your environment is only necessary for remote servers @@ -442,7 +485,9 @@ types of certs. Each of these provisioners must have unique keys. ## Use Custom Claims for Provisioners to Control Certificate Validity etc -It's possible to configure provisioners on the CA to issue certs using properties specific to their target environments. Most commonly different validity periods and disabling renewals for certs. Here's how: +It's possible to configure provisioners on the CA to issue certs using +properties specific to their target environments. Most commonly different +validity periods and disabling renewals for certs. Here's how: ```bash $ step ca init