Smallstep as a SubCA

[dopey]

Is it possible to create internal PKI with root CA and sub CA based on smallstep?

I would like to create:

Root CA (smallstep)
SubCA to generate vpn certificates
SubCA to generate web SSL certificates
SubCA to generate certificates for certificates for services like Postgres

[dopey]

Yes!

step-ca already always uses a Root + SubCA. When you run step ca init without any flags step-ca will generate a root and intermediate certificate (with accompanying) private keys using good defaults for cryptographic primitives. The intermediate then becomes a SubCA which signs all new certificate requests.

step-ca can only use a single SubCA to sign certificate requests. Therefore, my recommendation would be to run multiple instances of step-ca. One per SubCA. You can generate configurations and SubCAs by running STEPPATH=/tmp/[vpn | ssl | postgres | etc. ] step ca init --root <file> --key <file>. Make sure to use STEPPATH=... when running that command otherwise the command will attempt to overwrite files in your ~/.step directory. (we always ask before overwriting anything, so there isn't anything to worry about).

Then you'll need to run 3 instances of step-ca; each will be responsible for signing certificates for a different part of your infrastructure.

In the future we plan allow configuration of the subCA per provisioner. Which would allow users to run multiple subCAs per instance. But this hasn't been spec'ed or roadmapped, so for the time being, multiple instances are your best bet.