The security/step-ca port

step-ca-0.25.2 – private certificate authority and ACME server (cvsweb github mirror)

Description

step-ca is an online certificate authority for secure, automated certificate
management. It's the server counterpart to the step CLI tool.

You can use it to:

- Issue X.509 certificates for your internal infrastructure:
  - HTTPS certificates that work in browsers (RFC5280 and CA/Browser Forum
    compliance)
  - TLS certificates for VMs, containers, APIs, mobile clients, database
    connections, printers, wifi networks, toaster ovens...
  - Client certificates to enable mutual TLS (mTLS) in your infra. mTLS is an
    optional feature in TLS where both client and server authenticate each
    other. Why add the complexity of a VPN when you can safely use mTLS over
    the public internet?
- Issue SSH certificates:
  - For people, in exchange for single sign-on ID tokens
  - For hosts, in exchange for cloud instance identity documents
- Easily automate certificate management:
  - It's an ACME v2 server
  - It has a JSON API
  - It comes with a Go wrapper
  - ... and there's a command-line client you can use in scripts!

WWW: https://smallstep.com/certificates

Readme

+-------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-------------------------------------------------------------------------------

Initialization
==============

The step-cli package is required and must be used to initialize Step CA.
Execute the following command as user _step-ca to initialize Step CA.

# su -s /bin/sh _step-ca -c "env STEPPATH=${LOCALSTATEDIR}/step-ca step ca init"

Step CA cannot bind to privileged ports. During initialization select a port
above 1024.

Add the CA cert to system store
===============================

The root certificate for step-ca is stored in ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt
which should be added to the system by appending it to ${SYSCONFDIR}/ssl/cert.pem

# cat ${LOCALSTATEDIR}/step-ca/certs/root_ca.crt >> ${SYSCONFDIR}/ssl/cert.pem

Maintainer

The OpenBSD ports mailing-list

Only for arches

aarch64 amd64 arm armv7 i386 mips64 riscv64

Broken

on armv7: github.com/go-piv/piv-go@v1.10.0/piv/pcsc_openbsd.go:29:15: 0x8010002E (untyped int constant 2148532270) overflows int32

on i386: github.com/go-piv/piv-go@v1.10.0/piv/pcsc_openbsd.go:29:15: 0x8010002E (untyped int constant 2148532270) overflows int32

Library dependencies

security/pcsc-lite

Build dependencies

Files

/etc/login.conf.d/step_ca
/etc/rc.d/step_ca
/usr/local/bin/step-ca
/usr/local/share/doc/pkg-readmes/step-ca
/usr/local/share/doc/step-ca/
/usr/local/share/doc/step-ca/CHANGELOG.md
/usr/local/share/doc/step-ca/CONTRIBUTING.md
/usr/local/share/doc/step-ca/README.md
/usr/local/share/doc/step-ca/SECURITY.md
/usr/local/share/examples/login.conf.d/step_ca
/var/step-ca/
@newgroup _step-ca:883
@newuser _step-ca:883:883::Step-ca Account:/var/empty:/sbin/nologin