Aciid · September 19, 2023 07:19
diff --git a/gistfile1.txt b/gistfile1.txt
 ```
 Step CA existing PKI

 1.run on your workstation
 step certificate create "ca.internal.domain.tld" intermediate_ca.csr intermediate_ca_key --csr

 2.run on windows root-ca
 certreq -submit -attrib "CertificateTemplate:SubCA" intermediate_ca.csr intermediate_ca.crt

 3.re-submit, if necessary
 certutil -resubmit n

 4.retrieve, if necessary
 certreq -retrieve n

 5.move created crt file back to step-ca folder
 ~/.step/certs/intermediate_ca.crt

 certs/root_ca.crt replace with your issuer CA crt subsequent step
 secrets/root_ca_key delete this unnecessary private key
 certs/intermediate_ca.crt is your intermediate CA cert from earlier step
 secrets/intermediate_ca_key is your intermediate signing key from earlier step

 Export Intermediate CA certificate from your PKI in DER/CRT format root_ca.cer ( by default )

 Convert DER to CRT using openssl, if necessary
 openssl x509 -inform DER -in root_ca.cer -out root_ca.crt

 copy root_ca.crt to ~/.step/certs/root_ca.crt

 Restart step CA container / standalone after changes

 step-ca ~/.step/config/ca.json

 Create a test certificate in standalone mode
 step ca certificate "test.internal.domain.tld" test.internal.domain.tld.crt

 Create ACME provisioner
 step ca provisioner add acme-smallstep --type ACME

 Restart step CA container / standalone after adding the new provisioner

 step-ca ~/.step/config/ca.json

 Create ACME certificate using provisioner ( domain must be subdomain of internal.domain.tld )

 $ step ca certificate test2.internal.domain.tld test2.crt test2.key --provisioner acme-smallstep --san test2.internal.domain.tld
 ✔ Provisioner: acme-smallstep (ACME)
 Using Standalone Mode HTTP challenge to validate test2.internal.domain.tld .. done!
 Waiting for Order to be 'ready' for finalization .. done!
 Finalizing Order .. done!
 ✔ Certificate: test2.crt
 ✔ Private Key: test2.key
 ```
	```
	Step CA existing PKI

	1.run on your workstation
	step certificate create "ca.internal.domain.tld" intermediate_ca.csr intermediate_ca_key --csr

	2.run on windows root-ca
	certreq -submit -attrib "CertificateTemplate:SubCA" intermediate_ca.csr intermediate_ca.crt

	3.re-submit, if necessary
	certutil -resubmit n

	4.retrieve, if necessary
	certreq -retrieve n

	5.move created crt file back to step-ca folder
	~/.step/certs/intermediate_ca.crt

	certs/root_ca.crt replace with your issuer CA crt subsequent step
	secrets/root_ca_key delete this unnecessary private key
	certs/intermediate_ca.crt is your intermediate CA cert from earlier step
	secrets/intermediate_ca_key is your intermediate signing key from earlier step

	Export Intermediate CA certificate from your PKI in DER/CRT format root_ca.cer ( by default )

	Convert DER to CRT using openssl, if necessary
	openssl x509 -inform DER -in root_ca.cer -out root_ca.crt

	copy root_ca.crt to ~/.step/certs/root_ca.crt

	Restart step CA container / standalone after changes

	step-ca ~/.step/config/ca.json

	Create a test certificate in standalone mode
	step ca certificate "test.internal.domain.tld" test.internal.domain.tld.crt

	Create ACME provisioner
	step ca provisioner add acme-smallstep --type ACME

	Restart step CA container / standalone after adding the new provisioner

	step-ca ~/.step/config/ca.json

	Create ACME certificate using provisioner ( domain must be subdomain of internal.domain.tld )

	$ step ca certificate test2.internal.domain.tld test2.crt test2.key --provisioner acme-smallstep --san test2.internal.domain.tld
	✔ Provisioner: acme-smallstep (ACME)
	Using Standalone Mode HTTP challenge to validate test2.internal.domain.tld .. done!
	Waiting for Order to be 'ready' for finalization .. done!
	Finalizing Order .. done!
	✔ Certificate: test2.crt
	✔ Private Key: test2.key
	```