StepCA¶

A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

We institute Practical Zero Trust where all network traffic is encrypted at transport across our private network(s). Rather than doing this at level of VPN which is hard to manage; all services implement TLS.

We use the step-ca suite to auto-magically create and renew X509 certificates. These are then pulled into the certificate store environment of our load balancer infrastructure to automatically and dynamically provide TLS end-points across our services.

All of our Certificate/PKI management is organised around Chef resources/providers and DSL within recipes for servers and clients.

Creation¶

We use step-cli to generate certificates on server(s) as part of our Chef deployment. We support DH, RSA, DSA, ECDSA in a range of key sizes.

This certificate are then signed by the CA and configured for the service implementing it. Separate certificates for each service.

We have bundled our step-cli with systemd/timers to allow you to automatically renew certificates by setting up systemd/services as per https://smallstep.com/docs/step-ca/renewal/#automated-renewal.

CA¶

We use step-ca for signing, management, revocation services. Our step-ca is highly scalable with a PostgreSQL backend.

step-ca supports the ACME protocol. If you prefer to manage renewals outside orchestration, something like certbot could be used to perform this task.

SSH via X509.¶

Our jump servers are accessed via a ssh tunnel using short-lived certificates. Only some simple ssh configuration is required.

host jumphost
   HostName ssh.example.com
   IdentityFile ~/.ssh/id_ed25519
   ProxyCommand proxytunnel -E -p ssh.example.com:443 -d 127.0.0.1:22 --cert=~/temporary-cert.pem --key=~/temporary-key.pem --cacert=/etc/pki/tls/certs/company-ca.pem

Fabio¶

Our load balancer infrastructure dynamically makes API calls to step-ca to place certificates into it’s certificate store so it can support TLS endpoints and pass through to underlying services.

SSSD¶

User management is handled via our 389 Directory Server and sssd configured against it.