Replies: 1 comment
-
|
@voms00 If I’m understanding your question correctly, I think the Use step-ca with your existing CA tutorial addresses your concern. You can set up a Step CA using a root CA that already exists. You can use an existing intermediate CA from that CA, or create a new one. This will be what signs your leaf certs. In the tutorial, it shows how to initialize the new CA and substitute in the existing CA and ICA cert files. The CA’s private key is not needed because the ICA will be used for signing. The ICA private key is needed, so you either need the ICA public key and private key in substituted into the Step CA config, or you can generate a new ICA (public/private). This can be seen in the steps under The medium way, and later headings. HTH. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone,
A few days ago I started exploring the world of PKI and Smallstep.
In a medium and mixed ICT environment, I would like to have my internal CA in order to generate certificates and automatically handle their renewal.
However, I’ve now reached the point where I’m looking for a discussion with someone who knows more than I do.
Scenario 1
If I run step-ca in a Docker container using initialization, it generates both the intermediate CA (and its related certificates/keys) and the root CA (and its related certificates/keys).
I realize that this generates the entire PKI, but this way I end up in the same volume with: root_ca.crt, root_ca_key, intermediate_ca.crt, intermediate_ca_key, defaults.json, and ca.json.
According to security guidelines, shouldn’t root_ca.key be kept offline, outside of everything else?
Scenario 2
I create a VM for the root CA (just to sign the intermediate’s CSR) and a VM for the intermediate CA (which I would like to run on Docker). I sign the intermediate with the root and move the intermediate’s .crt to the intermediate VM, but then I get confused and cannot move forward.
I believe there is more going on that I’m missing.
If you want, I can also polish it for a more natural technical English version suitable for forums or professional discussions. Do you want me to do that?
Beta Was this translation helpful? Give feedback.
All reactions