Merge pull request #288 from smallstep/max/rhel-doc

Add RHEL/Centos install documentation and a section on systemctl configuration
This commit is contained in:
Max 2020-06-15 20:23:04 -07:00 committed by GitHub
commit 6ee30c3a41
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 84 additions and 2 deletions

View file

@ -175,6 +175,43 @@ We are using the [Arch User Repository](https://aur.archlinux.org) to distribute
You can use [pacman](https://www.archlinux.org/pacman/) to install the packages. You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
#### RHEL/CentOS
1. [Optional] Install `step`.
Download the latest Linux tarball from
[`step` releases](https://github.com/smallstep/cli/releases):
```
$ wget -O step-cli.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
```
Install `step` by unzipping and copying the executable over to `/usr/bin`:
```
$ tar -xf step-cli.tar.gz
$ sudo cp step_X.Y.Z/bin/step /usr/bin
```
2. Install `step-ca`.
Download the latest Linux package from [releases](https://github.com/smallstep/certificates/releases):
```
$ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
```
Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
```
$ tar -xf step-ca.tar.gz
$ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin
```
See the [`systemctl` setup section](./docs/GETTING_STARTED.md#systemctl) for a
guide on configuring `step-ca` as a daemon.
### Kubernetes ### Kubernetes
We publish [helm charts](https://hub.helm.sh/charts/smallstep/step-certificates) for easy installation on kubernetes: We publish [helm charts](https://hub.helm.sh/charts/smallstep/step-certificates) for easy installation on kubernetes:

View file

@ -203,6 +203,49 @@ export STEPPATH=$(step path)
step-ca $STEPPATH/config/ca.json step-ca $STEPPATH/config/ca.json
``` ```
### Systemctl
Consider adding a service user that will only be used by `systemctl` to manage
the service.
```
$ useradd step
$ passwd -l step
```
Use the following example as a base for your `systemctl` service file:
```
[Unit]
Description=step-ca
After=syslog.target network.target
[Service]
User=smallstep
Group=smallstep
ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >> /var/log/smallstep/output.log 2>&1'
Type=simple
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
```
The following are a few example commands you can use to check the status,
enable on restart, and start your `systemctl` service.
```
# Check the current status of the `step-ca` service
$ systemctl status step-ca
# Configure the `step-ca` process to startup on reboot automatically
$ systemctl enable step-ca
# Start the `step-ca` service.
$ systemctl start smallstep
```
## Configure Your Environment ## Configure Your Environment
**Note**: Configuring your environment is only necessary for remote servers **Note**: Configuring your environment is only necessary for remote servers
@ -442,7 +485,9 @@ types of certs. Each of these provisioners must have unique keys.
## Use Custom Claims for Provisioners to Control Certificate Validity etc ## Use Custom Claims for Provisioners to Control Certificate Validity etc
It's possible to configure provisioners on the CA to issue certs using properties specific to their target environments. Most commonly different validity periods and disabling renewals for certs. Here's how: It's possible to configure provisioners on the CA to issue certs using
properties specific to their target environments. Most commonly different
validity periods and disabling renewals for certs. Here's how:
```bash ```bash
$ step ca init $ step ca init