step-ca

JWT/OIDC ベースで初回発行

以降は daily で証明書を元に証明書を更新

root CA rotation などもこのタイミングで可能

mitamae recipe

bootstrap

code:a.sh

step ca bootstrap --ca-url ... --fingerprint ...

step ca certificate $CN path/crt path/key -token $TOKEN --sans $SAN

step ca roots path/roots.pem --force

step ca federations path/federations.pem --force

token が argv にわたるの微妙 (reuse不可なのでいいけど)

root CA rotation

mTLS での renew は step-ca の X509 extension を見て provisioner を確認するので、root またいだ renew も可能

AWS Provisioner

Instance Identity Document を使うが、「1回限り」「起動直後」の限定が可能。SANs/Subject の操作は難しいため、これを元に別のJWTを要求する何かがあると便利そう。

kubernetes 用 smallstep/autocert

CN/SANs の名前制限方法がない…

Operations

Restart

code:restart.sh

cd /mnt/vol/step-ca

sudo -u step-ca sh -c 'umask 0077 && cat > password.txt'

sudo systemctl restart step-ca.service

sudo -u step-ca shred --remove password.txt

Intermediate CA Renewal

code:csr.json

{

"CN": "nkmi.me Private CA Step - G2",

"key": {

"algo": "ecdsa",

"size": 256

},

"names": [

{

"C": "JP",

"O": "nkmi.me"

}

]

}

code:step-ca.sh

cd /mnt/vol/key

cat > csr.json

cfssl genkey csr.json | cfssljson -bare ca

openssl req -text -in ca.csr

code:root-ca.sh

sudo -i

cd /mnt/cfssl/data/root-g2/subordinates/step-g2

cat > ca.csr

cfssl sign -db-config ../../db_config.json -config ../../config.json -profile ca -ca ../../ca.pem -ca-key ../../ca-key.pem ca.csr | cfssljson -bare ca

aws s3 cp ca.pem s3://nkmi-pki-public/root-g2/subordinates/step-g2.crt

code:step-ca.pem

sudo openssl ec -aes256 -in /mnt/cfssl/data/root-g2/subordinates/step-g4/ca-key.pem -out /mnt/vol/step-ca/ca/key.pem

sudo install -m0644 -ostep-ca -gstep-ca /mnt/cfssl/data/root-g2/subordinates/step-g4/ca.pem ca.pem