forked from TrueCloudLab/certificates
Add RHEL/Centos install docs and a section on systemctl config
This commit is contained in:
parent
2d45f61987
commit
aaec9931f4
2 changed files with 57 additions and 58 deletions
66
README.md
66
README.md
|
@ -177,23 +177,20 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
|
||||||
|
|
||||||
#### RHEL/CentOS
|
#### RHEL/CentOS
|
||||||
|
|
||||||
There are a few subtle yet important things to getting this setup, at the time of this writing the package cannot be installed via yum (its a feature request). So this is how we setup this on RHEL following some best practices.
|
1. [Optional] Install `step`.
|
||||||
|
|
||||||
1. [Required] Install `step`.
|
Download the latest Linux tarball from
|
||||||
|
|
||||||
Download the latest Linux package from
|
|
||||||
[`step` releases](https://github.com/smallstep/cli/releases):
|
[`step` releases](https://github.com/smallstep/cli/releases):
|
||||||
|
|
||||||
```
|
```
|
||||||
$ wget -O step-cert.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
|
$ wget -O step-cli.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
|
||||||
```
|
```
|
||||||
|
|
||||||
Install the Package by unzipping in bin:
|
Install `step` by unzipping and copying the executable over to `/usr/bin`:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ tar -xf step.tar.gz
|
$ tar -xf step-cli.tar.gz
|
||||||
$ cd step-_X.Y.Z/bin/
|
$ sudo cp step_X.Y.Z/bin/step /usr/bin
|
||||||
$ mv step /usr/bin
|
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Install `step-ca`.
|
2. Install `step-ca`.
|
||||||
|
@ -204,58 +201,15 @@ There are a few subtle yet important things to getting this setup, at the time o
|
||||||
$ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
|
$ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
|
||||||
```
|
```
|
||||||
|
|
||||||
Install the Package by unzipping in bin:
|
Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ tar -xf step-ca.tar.gz
|
$ tar -xf step-ca.tar.gz
|
||||||
$ cd step-certificates_X.Y.Z/bin/
|
$ sudo cp step-certificates_X.Y.Z/bin/step-ca /usr/bin
|
||||||
$ mv step-ca /usr/bin
|
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Now your users can call the step and step-ca commands, create a 'smallstep' user that doesn't have login permitted and will only be used as a service user for systemctl to manage this service.
|
See the [`systemctl` setup section](./docs/GETTING_STARTED.md#systemctl) for a
|
||||||
|
guide on configuring `step-ca` as a daemon.
|
||||||
```
|
|
||||||
$ useradd smallstep
|
|
||||||
$ passwd -l smallstep
|
|
||||||
```
|
|
||||||
|
|
||||||
This creates a home directory for smallstep, as root sudo to the smallstep user, and perform the getting-started steps to setup the CA on this box as that user, we chose to put the password in a file in this example but you can mess with other solutions, we then made this systemctl service file
|
|
||||||
|
|
||||||
```
|
|
||||||
[Unit]
|
|
||||||
Description=Smallstep
|
|
||||||
After=syslog.target network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
|
|
||||||
User=smallstep
|
|
||||||
Group=smallstep
|
|
||||||
ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >> /var/log/smallstep/output.log 2>&1'
|
|
||||||
Type=simple
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=10
|
|
||||||
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
```
|
|
||||||
This also assumes you want logs going to a log file (we don't have a log rotation strategy at this time, perhaps the community can contribute :)
|
|
||||||
|
|
||||||
To setup this, perform the following
|
|
||||||
```
|
|
||||||
$ mkdir /var/log/smallstep
|
|
||||||
$ chown -R smallstep:smallstep /var/log/smallstep
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Then do the following to startup the service.
|
|
||||||
```
|
|
||||||
$ systemctl status smallstep
|
|
||||||
$ systemctl enable smallstep (startup on reboot automatically)
|
|
||||||
$ systemctl start smallstep
|
|
||||||
```
|
|
||||||
If you have issues, you can debug by grabbing the execStart command from systemctl, sudo to smallstep, and start seeing what it is complaining about.
|
|
||||||
|
|
||||||
|
|
||||||
### Kubernetes
|
### Kubernetes
|
||||||
|
|
|
@ -203,6 +203,49 @@ export STEPPATH=$(step path)
|
||||||
step-ca $STEPPATH/config/ca.json
|
step-ca $STEPPATH/config/ca.json
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Systemctl
|
||||||
|
|
||||||
|
Consider adding a service user that will only be used by `systemctl` to manage
|
||||||
|
the service.
|
||||||
|
|
||||||
|
```
|
||||||
|
$ useradd step
|
||||||
|
$ passwd -l step
|
||||||
|
```
|
||||||
|
|
||||||
|
Use the following example as a base for your `systemctl` service file:
|
||||||
|
|
||||||
|
```
|
||||||
|
[Unit]
|
||||||
|
Description=step-ca
|
||||||
|
After=syslog.target network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
|
||||||
|
User=smallstep
|
||||||
|
Group=smallstep
|
||||||
|
ExecStart=/bin/sh -c '/bin/step-ca /home/smallstep/.step/config/ca.json --password-file=/home/smallstep/.step/pwd >> /var/log/smallstep/output.log 2>&1'
|
||||||
|
Type=simple
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=10
|
||||||
|
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
```
|
||||||
|
|
||||||
|
The following are a few example commands you can use to check the status,
|
||||||
|
enable on restart, and start your `systemctl` service.
|
||||||
|
|
||||||
|
```
|
||||||
|
# Check the current status of the `step-ca` service
|
||||||
|
$ systemctl status step-ca
|
||||||
|
# Configure the `step-ca` process to startup on reboot automatically
|
||||||
|
$ systemctl enable step-ca
|
||||||
|
# Start the `step-ca` service.
|
||||||
|
$ systemctl start smallstep
|
||||||
|
```
|
||||||
|
|
||||||
## Configure Your Environment
|
## Configure Your Environment
|
||||||
|
|
||||||
**Note**: Configuring your environment is only necessary for remote servers
|
**Note**: Configuring your environment is only necessary for remote servers
|
||||||
|
@ -442,7 +485,9 @@ types of certs. Each of these provisioners must have unique keys.
|
||||||
|
|
||||||
## Use Custom Claims for Provisioners to Control Certificate Validity etc
|
## Use Custom Claims for Provisioners to Control Certificate Validity etc
|
||||||
|
|
||||||
It's possible to configure provisioners on the CA to issue certs using properties specific to their target environments. Most commonly different validity periods and disabling renewals for certs. Here's how:
|
It's possible to configure provisioners on the CA to issue certs using
|
||||||
|
properties specific to their target environments. Most commonly different
|
||||||
|
validity periods and disabling renewals for certs. Here's how:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ step ca init
|
$ step ca init
|
||||||
|
|
Loading…
Reference in a new issue