diff --git a/ct/headers/step-ca b/ct/headers/step-ca new file mode 100644 index 000000000..f6d7f7ca4 --- /dev/null +++ b/ct/headers/step-ca @@ -0,0 +1,6 @@ + __ + _____/ /____ ____ _________ _ + / ___/ __/ _ \/ __ \______/ ___/ __ `/ + (__ ) /_/ __/ /_/ /_____/ /__/ /_/ / +/____/\__/\___/ .___/ \___/\__,_/ + /_/ diff --git a/ct/step-ca.sh b/ct/step-ca.sh new file mode 100644 index 000000000..dd30eb009 --- /dev/null +++ b/ct/step-ca.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func) +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Joerg Heinemann (heinemannj) +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/smallstep/certificates + +APP="step-ca" +var_tags="${var_tags:-certificate-authority;pki;acme-server}" +var_cpu="${var_cpu:-1}" +var_ram="${var_ram:-512}" +var_disk="${var_disk:-2}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_unprivileged="${var_unprivileged:-1}" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + if [[ ! -f /etc/apt/sources.list.d/smallstep.sources ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + msg_info "Updating step-ca and step-cli" + $STD apt update + $STD apt upgrade -y step-ca step-cli + msg_ok "Updated step-ca and step-cli" + msg_ok "Updated successfully!" + exit +} + +start +build_container +description + +msg_ok "Completed successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}https://${IP}/provisioners${CL}" diff --git a/frontend/public/json/step-ca.json b/frontend/public/json/step-ca.json new file mode 100644 index 000000000..2cbf73e4b --- /dev/null +++ b/frontend/public/json/step-ca.json @@ -0,0 +1,40 @@ +{ + "name": "step-ca", + "slug": "step-ca", + "categories": [ + 6 + ], + "date_created": "2026-02-03", + "type": "ct", + "updateable": true, + "privileged": false, + "interface_port": 443, + "documentation": "https://smallstep.com/docs/step-ca/", + "website": "https://github.com/smallstep/certificates", + "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/step-ca.webp", + "config_path": "/etc/step-ca", + "description": "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.", + "install_methods": [ + { + "type": "default", + "script": "ct/step-ca.sh", + "resources": { + "cpu": 1, + "ram": 512, + "hdd": 2, + "os": "debian", + "version": "13" + } + } + ], + "default_credentials": { + "username": "root", + "password": null + }, + "notes": [ + { + "text": "For required post installation actions, checkout: `https://github.com/community-scripts/ProxmoxVE/discussions/tbd-XXXXXXXXXXXX`", + "type": "info" + } + ] +} diff --git a/install/step-ca-install.sh b/install/step-ca-install.sh new file mode 100644 index 000000000..e4223acc0 --- /dev/null +++ b/install/step-ca-install.sh @@ -0,0 +1,222 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Joerg Heinemann (heinemannj) +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/smallstep/certificates + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +msg_info "Install smallstepp repositories" +setup_deb822_repo \ + "smallstep" \ + "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \ + "https://packages.smallstep.com/stable/debian" \ + "debs" \ + "main" +msg_ok "Installed smallstep repositories" + +msg_info "Installing step-ca and step-cli" +$STD apt install -y step-ca step-cli +msg_ok "Installed step-ca and step-cli" + +msg_info "Define smallstep environment variables" +STEPHOME="/root/.step" +$STD export STEPPATH=/etc/step-ca +$STD export STEPHOME=$STEPHOME +msg_ok "Defined smallstep environment variables" + +msg_info "Add smallstep environment variables to /etc/profile" +$STD sed -i '1i export STEPPATH=/etc/step-ca' /etc/profile +$STD sed -i '1i export STEPHOME=/root/.step' /etc/profile +msg_ok "Added smallstep environment variables to /etc/profile" + +msg_info "Authorize step-ca binary with low port-binding capabilities" +$STD setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca) +msg_ok "Authorized low port-binding capabilities" + +msg_info "Add a smallstepp CA service user - Will only be used by systemd to manage the CA" +$STD useradd --user-group --system --home $(step path) --shell /bin/false step +msg_ok "Created smallstepp CA service user" + +# +# Quick & Dirty step-ca init options - to be improved via whiptail +# +DeploymentType="standalone" +FQDN=$(hostname -f) +DomainName=$(hostname -d) +IP=$(hostname -I | awk '{print $1}') +LISTENER=":443" +PKIName="MyHomePKI" +PKIProvisioner="pki@$DomainName" +AcmeProvisioner="acme@$DomainName" +X509MinDur="48h" +X509MaxDur="87600h" +X509DefaultDur="168h" + +msg_info "Initializing step-ca" +EncryptionPwdDir="$(step path)/encryption" +PwdFile="$EncryptionPwdDir/ca.pwd" +ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd" + +$STD mkdir -p "$EncryptionPwdDir" + +$STD gpg --gen-random --armor 2 32 >"$PwdFile" +$STD gpg --gen-random --armor 2 32 >"$ProvisionerPwdFile" + +$STD step ca init \ + --deployment-type=$DeploymentType \ + --ssh \ + --name=$PKIName \ + --dns="$FQDN" \ + --dns="$IP" \ + --address=$LISTENER \ + --provisioner="$PKIProvisioner" \ + --password-file="$PwdFile" \ + --provisioner-password-file="$ProvisionerPwdFile" + +echo +echo "Make a note of the root fingerprint!" +echo "You'll need it in future steps to establish trust with your CA from other environments or hosts." +echo + +$STD ln -s "$PwdFile" "$(step path)/password.txt" + +$STD chown -R step:step $(step path) +$STD chmod -R 700 $(step path) + +msg_ok "Initialized step-ca" + +msg_info "Add ACME provisioner" +$STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner" +msg_ok "Added ACME provisioner" + +msg_info "Update provisioner configurations" +$STD step ca provisioner update "$PKIProvisioner" \ + --x509-min-dur=$X509MinDur \ + --x509-max-dur=$X509MaxDur \ + --x509-default-dur=$X509DefaultDur \ + --allow-renewal-after-expiry + +$STD step ca provisioner update "$AcmeProvisioner" \ + --x509-min-dur=$X509MinDur \ + --x509-max-dur=$X509MaxDur \ + --x509-default-dur=$X509DefaultDur \ + --allow-renewal-after-expiry +msg_ok "Updated provisioner configurations" + +msg_info "Start step-ca as a Daemon" +ServiceFileGitHUB="https://raw.githubusercontent.com/smallstep/certificates/refs/heads/master/systemd/step-ca.service" +$STD curl -fsSL $ServiceFileGitHUB >/etc/systemd/system/step-ca.service + +$STD systemctl daemon-reload -q +$STD systemctl enable -q --now step-ca +msg_ok "Started step-ca as a Daemon" + +msg_info "Install root CA certificate into system's default trust store" +$STD step certificate install --all $(step path)/certs/root_ca.crt +$STD update-ca-certificates +msg_ok "Installed root CA certificate into system's default trust store" + +msg_info "Install step-batcher to export step-ca badger database" +StepBadgerGitHUB="https://github.com/lukasz-lobocki/step-badger/releases/latest/download" +StepBadgerArchive="step-badger_Linux_x86_64.tar.gz" +StepBadgerDir="$STEPHOME/step-badger" +StepBadgerExe="$StepBadgerDir/step-badger" +StepBadgerX509Certs="$STEPHOME/step-badger-x509Certs.sh" +StepBadgerSshCerts="$STEPHOME/step-badger-sshCerts.sh" + +$STD mkdir -p $StepBadgerDir +$STD curl -fsSL "$StepBadgerGitHUB/$StepBadgerArchive" >$StepBadgerDir/$StepBadgerArchive +$STD tar -xf $StepBadgerDir/$StepBadgerArchive -C $StepBadgerDir + +$STD chmod 700 $StepBadgerDir +$STD chmod 400 $StepBadgerDir/* +$STD chmod 755 $StepBadgerExe + +$STD cp $StepBadgerExe /usr/local/bin/ + +$STD mkdir --parents "$STEPHOME/db-copy/" +$STD mkdir --parents "$STEPHOME/certs/ca/" +$STD mkdir --parents "$STEPHOME/certs/ssh/" +$STD mkdir --parents "$STEPHOME/certs/x509/" + +$STD cat <<'EOF' >$StepBadgerX509Certs +#!/usr/bin/env bash +# +# See: https://github.com/lukasz-lobocki/step-badger +# + +cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/" +cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/" + +step-badger" x509Certs "$STEPHOME/db-copy" \ + --dnsnames \ + --emailaddresses \ + --ipaddresses \ + --uris \ + --issuer \ + --crl \ + --provisioner \ + --algorithm +EOF +$STD cat <<'EOF' >$StepBadgerSshCerts +#!/usr/bin/env bash +# +# See: https://github.com/lukasz-lobocki/step-badger +# + +cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/" +cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/" + +step-badger sshCerts "$STEPHOME/db-copy" \ + --algorithm +EOF +$STD chmod 700 $StepBadgerX509Certs +$STD chmod 700 $StepBadgerSshCerts +msg_ok "Installed step-batcher to export step-ca badger database" + +msg_info "Install step-ca helper scripts" +StepRequest="$STEPHOME/step-ca-request.sh" +StepRevoke="$STEPHOME/step-ca-revoke.sh" +$STD cat <<'EOF' >$StepRequest +#!/usr/bin/env bash +# +StepCertDir="$STEPHOME/certs/x509" + +HOST="brw4cd5770e36b4" +IP="192.168.178.136" +DOMAIN="fritz.box" +FQDN=$HOST.$DOMAIN +VALID_TO="2034-01-31T00:00:00Z" +PROVISIONER="pki@fritz.box" + +step ca certificate $FQDN $StepCertDir/$FQDN.crt $StepCertDir/$FQDN.key \ + --provisioner=$PROVISIONER \ + --not-after=$VALID_TO \ + --san $FQDN \ + --san $HOST \ + --san $IP + +step certificate inspect $StepCertDir/$FQDN.crt +EOF +$STD cat <<'EOF' >$StepRevoke +#!/usr/bin/env bash +# +# step ca revoke +# +step ca revoke +EOF +$STD chmod 700 $StepRequest +$STD chmod 700 $StepRevoke +msg_ok "Installed step-ca helper scripts" + +motd_ssh +customize +cleanup_lxc