Merge pull request #288 from smallstep/max/rhel-doc

Add RHEL/Centos install documentation and a section on systemctl configuration
2020-06-15 20:23:04 -07:00 · 2020-06-15 20:23:04 -07:00 · 6ee30c3a41
commit 6ee30c3a41
parent 91bf74551b aaec9931f4
2 changed files with 84 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -126,7 +126,7 @@ Certificate:

 > Note: If you have installed `step` previously through the `smallstep/smallstep`
 > tap you will need to run the following commands before installing:
-> 
+>
 > ```
 > $ brew untap smallstep/smallstep
 > $ brew uninstall step
@ -175,6 +175,43 @@ We are using the [Arch User Repository](https://aur.archlinux.org) to distribute

 You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.

+#### RHEL/CentOS
+
+1. [Optional] Install `step`.
+
+    Download the latest Linux tarball from
+    [`step` releases](https://github.com/smallstep/cli/releases):
+
+    ```
+    $ wget -O step-cli.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
+    ```
+
+    Install `step` by unzipping and copying the executable over to `/usr/bin`:
+
+    ```
+    $ tar -xf step-cli.tar.gz
+    $ sudo cp step_X.Y.Z/bin/step /usr/bin
+    ```
+
+2. Install `step-ca`.
+
+    Download the latest Linux package from [releases](https://github.com/smallstep/certificates/releases):
+
+    ```
+    $ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
+    ```
+
+    Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
+
+    ```
+    $ tar -xf step-ca.tar.gz
+    $ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin
+    ```
+
+See the [`systemctl` setup section](./docs/GETTING_STARTED.md#systemctl) for a
+guide on configuring `step-ca` as a daemon.
+
+
 ### Kubernetes

 We publish [helm charts](https://hub.helm.sh/charts/smallstep/step-certificates) for easy installation on kubernetes:
--- a/docs/GETTING_STARTED.md
+++ b/docs/GETTING_STARTED.md
@ -203,6 +203,49 @@ export STEPPATH=$(step path)
 step-ca $STEPPATH/config/ca.json
 ```

+### Systemctl
+
+Consider adding a service user that will only be used by `systemctl` to manage
+the service.
+
+```
+$ useradd step
+$ passwd -l step
+```
+
+Use the following example as a base for your `systemctl` service file:
+
+```
+[Unit]
+Description=step-ca
+After=syslog.target network.target
+
+[Service]
+
+User=smallstep
+Group=smallstep
+ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >>   /var/log/smallstep/output.log 2>&1'
+Type=simple
+Restart=on-failure
+RestartSec=10
+
+
+[Install]
+WantedBy=multi-user.target
+```
+
+The following are a few example commands you can use to check the status,
+enable on restart, and start your `systemctl` service.
+
+```
+# Check the current status of the `step-ca` service
+$ systemctl status step-ca
+# Configure the `step-ca` process to startup on reboot automatically
+$ systemctl enable step-ca
+# Start the `step-ca` service.
+$ systemctl start smallstep
+```
+
 ## Configure Your Environment

 **Note**: Configuring your environment is only necessary for remote servers
@ -442,7 +485,9 @@ types of certs. Each of these provisioners must have unique keys.

 ## Use Custom Claims for Provisioners to Control Certificate Validity etc

-It's possible to configure provisioners on the CA to issue certs using properties specific to their target environments. Most commonly different validity periods and disabling renewals for certs. Here's how:
+It's possible to configure provisioners on the CA to issue certs using
+properties specific to their target environments. Most commonly different
+validity periods and disabling renewals for certs. Here's how:

 ```bash
 $ step ca init