Private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH
| Category | Core Services |
|---|---|
| Platform | nixos |
| Version | 0.29.0 |
| Site link | https://smallstep.com/certificates/ |
| Nix Homelab Module | modules/features/step-ca |
This feature is deprecated. While it works fine, it has significant limitations: it's difficult to add the self-signed CA to all devices. For example, Firefox on Android doesn't use the Android root CA store.
Recommended alternative: Use public domain names (with private IPs) and DNS-01 challenge for automated certificate management with Let's Encrypt.
Step CA is an online certificate authority and related tools for secure automated certificate management. It allows you to run your own private Certificate Authority (CA) to issue X.509 and SSH certificates for your internal infrastructure.
Step CA provides a modern, developer-friendly alternative to traditional CAs, with ACME protocol support for automated certificate issuance and renewal, similar to Let's Encrypt but for your private network.
Private certificate authority for internal services with automated certificate management
Original benefits:
- Private CA: Issue certificates for internal-only services
- ACME Support: Automated certificate generation and renewal
- No External Dependencies: Works completely offline
- SSH Certificates: Support for SSH certificate authentication
- Fine-grained Control: Complete control over certificate policies
- No Rate Limits: Unlike public CAs, no issuance limits
Full ACME protocol implementation for automated certificate management:
security.acme = {
acceptTerms = true;
defaults.server = "https://ca.ma-cabane.net:10000/acme/acme/directory";
defaults.email = "admin@ma-cabane.eu";
};Certificates and keys were automatically generated using step-cli:
- Root CA password and keypair
- Intermediate CA password and keypair
- Automatic signing of intermediate by root
The root CA was automatically trusted system-wide:
security.pki.certificateFiles = [
secrets.step-ca-root-ca.files."root-ca.crt".path
];For reseting all CA, you can use the @service-step-ca-reset-all-acme-certs
command