The security/step-ca port

step-ca-0.25.2 – private certificate authority and ACME server (cvsweb github mirror)


step-ca is an online certificate authority for secure, automated certificate
management. It's the server counterpart to the step CLI tool.

You can use it to:

- Issue X.509 certificates for your internal infrastructure:
  - HTTPS certificates that work in browsers (RFC5280 and CA/Browser Forum
  - TLS certificates for VMs, containers, APIs, mobile clients, database
    connections, printers, wifi networks, toaster ovens...
  - Client certificates to enable mutual TLS (mTLS) in your infra. mTLS is an
    optional feature in TLS where both client and server authenticate each
    other. Why add the complexity of a VPN when you can safely use mTLS over
    the public internet?
- Issue SSH certificates:
  - For people, in exchange for single sign-on ID tokens
  - For hosts, in exchange for cloud instance identity documents
- Easily automate certificate management:
  - It's an ACME v2 server
  - It has a JSON API
  - It comes with a Go wrapper
  - ... and there's a command-line client you can use in scripts!
WWW: https://smallstep.com/certificates


| Running ${PKGSTEM} on OpenBSD


The step-cli package is required and must be used to initialize Step CA.
Execute the following command as user _step-ca to initialize Step CA.

# su -s /bin/sh _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"

Step CA cannot bind to privileged ports. During initialization select a port
above 1024.

Add the CA cert to system store

The root certificate for step-ca is stored in ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
which should be added to the system by appending it to ${SYSCONFDIR}/ssl/cert.pem

# cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >> ${SYSCONFDIR}/ssl/cert.pem


The OpenBSD ports mailing-list

Only for arches

aarch64 amd64 arm armv7 i386 mips64 riscv64


on armv7: github.com/go-piv/piv-go@v1.10.0/piv/pcsc_openbsd.go:29:15: 0x8010002E (untyped int constant 2148532270) overflows int32

on i386: github.com/go-piv/piv-go@v1.10.0/piv/pcsc_openbsd.go:29:15: 0x8010002E (untyped int constant 2148532270) overflows int32


lang/go security

Library dependencies

Build dependencies