vancanhuit · August 18, 2024 15:04
diff --git a/ca.json b/ca.json
 {
  "root": "/etc/step-ca/certs/root_ca.crt",
  "federatedRoots": null,
  "crt": "/etc/step-ca/certs/intermediate_ca.crt",
  "key": "/etc/step-ca/secrets/intermediate_ca_key",
  "address": ":443",
  "insecureAddress": "",
  "dnsNames": [
    "ca.lab.internal"
  ],
  "logger": {
    "format": "text"
  },
  "db": {
    "type": "badgerv2",
    "dataSource": "/etc/step-ca/db",
    "badgerFileLoadingMode": ""
  },
  "authority": {
    "claims": {
      "minTLSCertDuration": "24h",
      "maxTLSCertDuration": "8760h",
      "defaultTLSCertDuration": "4380h"
    },
    "provisioners": [
      {
        "type": "JWK",
        "name": "default",
        "key": {
          "use": "sig",
          "kty": "EC",
          "kid": "C1KSXPhsSdqXGGoKtZcuPISlulz19KPm_HLvChj2G6E",
          "crv": "P-256",
          "alg": "ES256",
          "x": "WINVVmc6U9zDHEJky8JJN4wMecQMWWRz538waJc9jLw",
          "y": "VoyXfZMmRTCciOO6nmmlBGrjNZE4JWgwQgYMUCJqRJw"
        },
        "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY2dMeTFXUU12RGp5Q3FSOG9QWjlYdyJ9.AltSkn2jbDanOBw2UhWTaSOEXlkBzvy_57pkAn0XaITzASp44SyGbw.3rSzsBQ7mSjUxjjT.EusYXuW8UUj6LFMO92Z-t6fJgGaW3LN0SGsqaOzqKHqZdIRRe3u4puVxPJx0JTA2InZi_nO3gQfn_uD5DpWxUh3K-70KrF7b9oKl3JCjnaj3vHVcDDqhAYIpwQnq8XE9D8Wl71y2ByDxlkJrVdKOl-ka-3v6os9RKS8l7e28fXivklG3kPDWw2P_oa5_LBBwTiXkWwV5YM-KSUJPxLP8HJ2k3q0YrsgWyU5cE3MDMu3I1d_-_ONskP17WhyNLCBshsOdxUq_8BdTgQNo7KCIymwf0aTL9jWs1arMPaRj1yTzZFVs_rH39udFfoOZKKMlvPLk-A9dTopIVmmn8hA.ImQ-JbuNJZjWXXc9WWPuxQ"
      },
      {
        "type": "ACME",
        "name": "acme",
        "forceCN": true,
        "claims": {
          "enableSSHCA": true,
          "disableRenewal": false,
          "allowRenewalAfterExpiry": false,
          "disableSmallstepExtensions": false
        },
        "options": {
          "x509": {},
          "ssh": {}
        }
      }
    ],
    "template": {},
    "backdate": "1m0s"
  },
  "tls": {
    "cipherSuites": [
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
    ],
    "minVersion": 1.2,
    "maxVersion": 1.3,
    "renegotiation": false
  },
  "commonName": "Step Online CA"
 }
diff --git a/certbot.sh b/certbot.sh
 certbot certonly -n --standalone --agree-tos --email [email protected] -d host.lab.internal --server https://ca.lab.internal/acme/acme/directory
 certbot renew --server https://ca.lab.internal/acme/acme/directory
	{
	"root": "/etc/step-ca/certs/root_ca.crt",
	"federatedRoots": null,
	"crt": "/etc/step-ca/certs/intermediate_ca.crt",
	"key": "/etc/step-ca/secrets/intermediate_ca_key",
	"address": ":443",
	"insecureAddress": "",
	"dnsNames": [
	"ca.lab.internal"
	],
	"logger": {
	"format": "text"
	},
	"db": {
	"type": "badgerv2",
	"dataSource": "/etc/step-ca/db",
	"badgerFileLoadingMode": ""
	},
	"authority": {
	"claims": {
	"minTLSCertDuration": "24h",
	"maxTLSCertDuration": "8760h",
	"defaultTLSCertDuration": "4380h"
	},
	"provisioners": [
	{
	"type": "JWK",
	"name": "default",
	"key": {
	"use": "sig",
	"kty": "EC",
	"kid": "C1KSXPhsSdqXGGoKtZcuPISlulz19KPm_HLvChj2G6E",
	"crv": "P-256",
	"alg": "ES256",
	"x": "WINVVmc6U9zDHEJky8JJN4wMecQMWWRz538waJc9jLw",
	"y": "VoyXfZMmRTCciOO6nmmlBGrjNZE4JWgwQgYMUCJqRJw"
	},
	"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY2dMeTFXUU12RGp5Q3FSOG9QWjlYdyJ9.AltSkn2jbDanOBw2UhWTaSOEXlkBzvy_57pkAn0XaITzASp44SyGbw.3rSzsBQ7mSjUxjjT.EusYXuW8UUj6LFMO92Z-t6fJgGaW3LN0SGsqaOzqKHqZdIRRe3u4puVxPJx0JTA2InZi_nO3gQfn_uD5DpWxUh3K-70KrF7b9oKl3JCjnaj3vHVcDDqhAYIpwQnq8XE9D8Wl71y2ByDxlkJrVdKOl-ka-3v6os9RKS8l7e28fXivklG3kPDWw2P_oa5_LBBwTiXkWwV5YM-KSUJPxLP8HJ2k3q0YrsgWyU5cE3MDMu3I1d_-_ONskP17WhyNLCBshsOdxUq_8BdTgQNo7KCIymwf0aTL9jWs1arMPaRj1yTzZFVs_rH39udFfoOZKKMlvPLk-A9dTopIVmmn8hA.ImQ-JbuNJZjWXXc9WWPuxQ"
	},
	{
	"type": "ACME",
	"name": "acme",
	"forceCN": true,
	"claims": {
	"enableSSHCA": true,
	"disableRenewal": false,
	"allowRenewalAfterExpiry": false,
	"disableSmallstepExtensions": false
	},
	"options": {
	"x509": {},
	"ssh": {}
	}
	}
	],
	"template": {},
	"backdate": "1m0s"
	},
	"tls": {
	"cipherSuites": [
	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
	],
	"minVersion": 1.2,
	"maxVersion": 1.3,
	"renegotiation": false
	},
	"commonName": "Step Online CA"
	}
	certbot certonly -n --standalone --agree-tos --email [email protected] -d host.lab.internal --server https://ca.lab.internal/acme/acme/directory
	certbot renew --server https://ca.lab.internal/acme/acme/directory