Smallstep CA Server

1. Information

If the CA server is irrecoverably lost, you will need to re-initialize your PKI, generate a new root certificate, and redistribute this new root to all clients.

See https://github.com/smallstep/certificates/discussions/756.
See https://smallstep.com/docs/design-document.

See https://smallstep.com/blog/everything-pki.
See https://smallstep.com/blog/ssh-vs-x509-certificates.
See https://smallstep.com/blog/use-ssh-certificates.
See https://smallstep.com/tags/ssh.
See https://smallstep.com/open-source.
See https://github.com/smallstep/certificates.
See https://github.com/smallstep/cli.
See https://smallstep.com/docs/tutorials/docker-tls-certificate-authority.

See https://smallstep.com/signup.

See https://smallstep.com/docs/tutorials/ssh-certificate-login.

2. Linux

2.1. Installation of Step Client

See https://smallstep.com/docs/step-cli/installation/#debianubuntu.

Enter the following commands at a Command Line.

sudo apt-get update
sudo apt-get install -y --no-install-recommends curl gpg ca-certificates
sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/keyrings/smallstep.asc
cat << EOF | sed -e "s/^  //" | sudo tee /etc/apt/sources.list.d/smallstep.sources
  Types: deb
  URIs: https://packages.smallstep.com/stable/debian
  Suites: debs
  Components: main
  Signed-By: /etc/apt/keyrings/smallstep.asc
EOF
sudo apt-get update
sudo apt-get -y install step-cli

step --version                  # Smallstep CLI/0.29.0 (linux/amd64)
                                # Release Date: 2025-12-03T04:11:27Z

2.2. Installation of Step Server

See https://smallstep.com/docs/step-ca/installation/#debianubuntu.

Enter the following commands at a Command Line.

sudo apt-get update
sudo apt-get install -y --no-install-recommends curl gpg ca-certificates
sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/keyrings/smallstep.asc
####sudo chmod a+r /etc/apt/keyrings/docker.asc
cat << EOF | sed -e "s/^  //" | sudo tee /etc/apt/sources.list.d/smallstep.sources
  Types: deb
  URIs: https://packages.smallstep.com/stable/debian
  Suites: debs
  Components: main
  Signed-By: /etc/apt/keyrings/smallstep.asc
EOF
sudo apt-get update
sudo apt-get -y install step-cli step-ca

step --version                  # Smallstep CLI/0.29.0 (linux/amd64)
                                # Release Date: 2025-12-03T04:11:27Z
step-ca --version               # Smallstep CA/0.29.0 (linux/amd64)
                                # Release Date: 2025-12-03T05:01:41Z

2.3. Configuration

See https://smallstep.com/docs/step-ca/getting-started.
Note: Do not use port 8443 as it is the default port used by Incus.
Note: Do not use port 9443 as it is the default port used by Veeam Backup Manager.

Enter the following commands at a Command Line.

step ca init \
  --address=127.0.0.1:7443 \
  --deployment-type=standalone \
  --dns=localhost \
  --name="Delta Software Labs" \
  --provisioner=delta@deltasoftware.frl \
  --ssh

# Type the level 1 password and press Enter.

Generating root certificate... done!
Generating intermediate certificate... done!
Generating user and host SSH certificate signing keys... done!

✔ Root certificate: /home/delta/.step/certs/root_ca.crt
✔ Root private key: /home/delta/.step/secrets/root_ca_key
✔ Root fingerprint: b108fcf44354935913cef36086e430380f77a4192888d4fa33ff2d853856ef25
✔ Intermediate certificate: /home/delta/.step/certs/intermediate_ca.crt
✔ Intermediate private key: /home/delta/.step/secrets/intermediate_ca_key
✔ SSH user public key: /home/delta/.step/certs/ssh_user_ca_key.pub
✔ SSH user private key: /home/delta/.step/secrets/ssh_user_ca_key
✔ SSH host public key: /home/delta/.step/certs/ssh_host_ca_key.pub
✔ SSH host private key: /home/delta/.step/secrets/ssh_host_ca_key
✔ Database folder: /home/delta/.step/db
✔ Templates folder: /home/delta/.step/templates
✔ Default configuration: /home/delta/.step/config/defaults.json
✔ Certificate Authority configuration: /home/delta/.step/config/ca.json

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

Make a note of the root fingerprint.
It is needed in future steps to establish trust with the CA from other environments or hosts.

Enter the following commands at a Command Line.

ls -al ~/.step

# Run the certificate authority and pass it the configuration file just generated.
step-ca $(step path)/config/ca.json
# Type the password to decrypt /home/delta/.step/secrets/intermediate_ca_key and press Enter.
# Type the password to decrypt /home/delta/.step/secrets/ssh_host_ca_key and press Enter.
# Type the password to decrypt /home/delta/.step/secrets/ssh_user_ca_key and press Enter.

# Type Ctrl+C to exit the certificate authority.

Enter the following commands at another Command Line.

step ca health
curl --insecure --verbose https://localhost:7443

# Ask the CA for a certificate (srv.crt) and private key (srv.key) for an example server on localhost.
step ca certificate localhost srv.crt srv.key
step ca certificate --kty OKP --curve Ed25519 localhost srv.crt srv.key
# Select the delta@deltasoftware.frl (JWK) provisioner.
# Type the level 1 password and press Enter.

✔ CA: https://localhost:7443
✔ Certificate: srv.crt
✔ Private Key: srv.key

2.4. Configuration for Remote Access

To access your CA remotely, install and use the step command on clients. Or you can use any ACME client to get certificates.

Because the CA root certificate is a self-signed certificate, it is not automatically trusted by clients. Any new step client must establish a trust relationship with the CA. Establish a trust relationship by supplying the CA fingerprint to step ca bootstrap. The CA fingerprint is a cryptographic signature identifying the root CA certificate.

Configure step to access the CA from a new machine.

# Download the root CA certificate and write CA connection details to ~/.step/config/defaults.json.
step ca bootstrap --ca-url https://localhost:7443 --fingerprint <fingerprint>
# The step command will now trust the CA.

The root certificate has been saved in /home/<user>/.step/certs/root_ca.crt.
Your configuration has been saved in /home/<user>/.step/config/defaults.json.

2.5. Configuration as a Daemon

See https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon.
Configure step-ca as a daemon.

Enter the following commands at a Command Line.

Add a service user for the CA.
sudo useradd --user-group --system --home /etc/step-ca --shell /bin/false step

# Give the step-ca binary low port-binding capabilities, if the CA will bind to port 443.
sudo setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)

# Move the CA configuration into a system-wide location.
sudo mv $(step path)/* /etc/step-ca

# Make sure your CA password is located in /etc/step-ca/password.txt, so that it can be read upon server startup.
sudo touch /etc/step-ca/password.txt
?????

# Edit the /etc/step-ca/config/defaults.json file to reflect the new path.
?????

# Set the step user as the owner of the CA configuration directory.
sudo chown -R step:step /etc/step-ca

# Modify your ca.conf file to point to the new database location.
cat <<< $(jq '.db.dataSource = "/etc/step-ca/db"' /etc/step-ca/config/ca.json) > /etc/step-ca/config/ca.json

Contents of the /etc/systemd/system/step-ca.service file.

[Unit]
Description=step-ca service
Documentation=https://smallstep.com/docs/step-ca
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
ConditionFileNotEmpty=/etc/step-ca/config/ca.json
ConditionFileNotEmpty=/etc/step-ca/password.txt

[Service]
Type=simple
User=step
Group=step
Environment=STEPPATH=/etc/step-ca
WorkingDirectory=/etc/step-ca
ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3

; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes

; Sandboxing
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true
LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step-ca/db

[Install]
WantedBy=multi-user.target

Enter the following commands at a Command Line.

# Enable and start the service.
sudo systemctl enable step-ca
sudo systemctl start  step-ca

sudo systemctl status step-ca

3. Windows

3.1. Installation of Step Client

See https://smallstep.com/docs/step-cli/installation/#windows.

winget install Smallstep.step

where step      # C:\Users\Douwe\AppData\Local\Microsoft\WinGet\Packages\Smallstep.step_Microsoft.Winget.Source_8wekyb3d8bbwe\step_0.28.7\bin\step.exe
step --version  # Smallstep CLI/0.28.7 (windows/amd64)
                # Release Date: 2025-07-14T04:10:42Z