For generating locally trusted certificates, primarily to permit internal clusters to interact with the nerc-ocp-infra vault instance.
-
Install the
stepcommand line tool. -
Get the fingerprint of the root certificate:
fingerprint=$(curl -s -k https://step-ca.apps.nerc-ocp-infra.rc.fas.harvard.edu/roots.pem | step certificate fingerprint /dev/stdin) -
Configure the client with the
step ca bootstrapcommand:step ca bootstrap --ca-url https://step-ca.apps.nerc-ocp-infra.rc.fas.harvard.edu --fingerprint "$fingerprint"You should see output like:
The root certificate has been saved in /home/larsks/.step/authorities/step-ca.apps.nerc-ocp-infra.rc.fas.harvard.edu/certs/root_ca.crt. The authority configuration has been saved in /home/larsks/.step/authorities/step-ca.apps.nerc-ocp-infra.rc.fas.harvard.edu/config/defaults.json. The profile configuration has been saved in /home/larsks/.step/profiles/step-ca.apps.nerc-ocp-infra.rc.fas.harvard.edu/config/defaults.json.
You can issue certificates using the step ca certficiate command. For example, to issue a certificate for api.nerc-ocp-test.rc.fas.harvard.edu, you would run:
step ca certificate api.nerc-ocp-test.rc.fas.harvard.edu server.crt server.key
This will prompt you for a password:
✔ Provisioner: admin (JWK) [kid: Lbb59Yv-nw1pUWV400-TU7W03jfjoo33qF4eccY1jG4]
Please enter the password to decrypt the provisioner key: █
Use the password field from nerc-ocp-infra/step-ca/step-ca-password in the vault.
This would create server.crt with the certificate and server.key with the private key.