Skip to content

Latest commit

 

History

History
119 lines (94 loc) · 3.71 KB

File metadata and controls

119 lines (94 loc) · 3.71 KB

Step CA Step CA

Basic Information

Private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH

Category Core Services
Platform nixos
Version 0.29.0
Site link https://smallstep.com/certificates/
Nix Homelab Module modules/features/step-ca

⚠️ Deprecation Notice

This feature is deprecated. While it works fine, it has significant limitations: it's difficult to add the self-signed CA to all devices. For example, Firefox on Android doesn't use the Android root CA store.

Recommended alternative: Use public domain names (with private IPs) and DNS-01 challenge for automated certificate management with Let's Encrypt.

What is Step CA?

Step CA is an online certificate authority and related tools for secure automated certificate management. It allows you to run your own private Certificate Authority (CA) to issue X.509 and SSH certificates for your internal infrastructure.

Step CA provides a modern, developer-friendly alternative to traditional CAs, with ACME protocol support for automated certificate issuance and renewal, similar to Let's Encrypt but for your private network.

Why Was Step CA Used?

Private certificate authority for internal services with automated certificate management

Original benefits:

  • Private CA: Issue certificates for internal-only services
  • ACME Support: Automated certificate generation and renewal
  • No External Dependencies: Works completely offline
  • SSH Certificates: Support for SSH certificate authentication
  • Fine-grained Control: Complete control over certificate policies
  • No Rate Limits: Unlike public CAs, no issuance limits

Key Features

1. ACME Protocol Support

Full ACME protocol implementation for automated certificate management:

security.acme = {
  acceptTerms = true;
  defaults.server = "https://ca.ma-cabane.net:10000/acme/acme/directory";
  defaults.email = "admin@ma-cabane.eu";
};

2. Automatic Certificate Generation

Certificates and keys were automatically generated using step-cli:

  • Root CA password and keypair
  • Intermediate CA password and keypair
  • Automatic signing of intermediate by root

Misc

System-wide CA Trust

The root CA was automatically trusted system-wide:

security.pki.certificateFiles = [
  secrets.step-ca-root-ca.files."root-ca.crt".path
];

Reset All ACME Certificates

For reseting all CA, you can use the @service-step-ca-reset-all-acme-certs command

Learn More