Using step-ca as an intermediate ca with certificates provided by a parent CA

Question

I am looking to use a intermediate CA which can sign certificates via ACME. We have a number of internal web servers which are not accessable on the internet which use SSL all of which need to be managed manually. We already have an internal CA where the CA authority is installed on all internal machines. I was hoping to install step CA with a certificate provided from the existing authority which it can then use to sign certificates using ACME (all of the servers are in DNS and this DNS is managed internally, so a DNS name check is a valid check).

I can get most of the way but it appears that set-ca always uses a self signed certificate for the ACME part of the service, so when certbot or whatever connects to the ACME service it just generates a certificate error because of the self signed one that it is using for the communications (even though it would ultimatly issue one which could be verified).

Has anyone any experence in addressing this? I could go and install the self signed cert on all the relevant servers, but this kind of nullifies the point of using ACME, if I have to go and manually update a certifiate every 6 months on a number of machines I might as well just keep with the current process.

Answer 1

The ACME spec (RFC8555) requires that all communication between the ACME client (the thing getting a certificate) and the ACME server (in this case, step-ca) occur over TLS. That means step-ca needs its own certificate that your ACME clients trust in order to issue certificates using ACME. So yea, there’s a bit of a bootstrapping problem here.

To resolve this, step-ca issues itself a certificate using its intermediate cert/signing key automatically. That means you need to either:

1. Configure all of your ACME clients to trust the root that step-ca generates when you run step ca init, or
2. Configure step-ca to use an intermediate that chains up to an existing root that your clients already trust (see https://smallstep.com/docs/tutorials/intermediate-ca-new-ca).

If you manage your root certificate private key properly, you can use a much longer expiry than you’d typically use for leaf certificates. It’s a good idea to have a process in place to rotate your root certificate (e.g., using configuration management), but it’s not something you’ll need to do frequently. So there’s still a lot of value in using ACME, even if root distribution is required.

You can use step ca root and step certificate install to securely download and (optionally) install your root cert in your system’s trust store, respectively.

For more information on configuring specific ACME clients to connect to step-ca, see https://smallstep.com/docs/tutorials/acme-protocol-acme-clients.

Answer 2

Currently I am with the same challenge at my table. I am trying to setup a ACME end-to-end process. I would like to have a fully automated certificate process for all the internal services/servers. The idea is to eliminate the manual operation for certificates.

I got success installing and running the step-ca and using that as an ACME server, but I still need to distribute (manually) the CA certificate itself to all servers/services trust stores.

Anyway so far the closest answer I could found is described here: https://smallstep.com/docs/tutorials/intermediate-ca-new-ca

So, if you already found a better solution for the question please share it here.