|
|
@ -21,7 +21,7 @@ the token does contain the root fingerprint then it is simpler to use:
|
|
|
|
client, err := ca.Bootstrap(token)
|
|
|
|
client, err := ca.Bootstrap(token)
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
After the initialization there are examples of all the client methods. These
|
|
|
|
After the initialization, there are examples of all the client methods. These
|
|
|
|
methods are a convenient way to use the CA API. The first method, `Health`,
|
|
|
|
methods are a convenient way to use the CA API. The first method, `Health`,
|
|
|
|
returns the status of the CA server. If the server is up it will return
|
|
|
|
returns the status of the CA server. If the server is up it will return
|
|
|
|
`{"status":"ok"}`.
|
|
|
|
`{"status":"ok"}`.
|
|
|
@ -77,7 +77,7 @@ if err != nil { ... }
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
The following methods are for inpsecting Provisioners.
|
|
|
|
The following methods are for inpsecting Provisioners.
|
|
|
|
One method that returns a list of provisioners or a the encrypted key of one provisioner.
|
|
|
|
One method that returns a list of provisioners or an encrypted key of one provisioner.
|
|
|
|
|
|
|
|
|
|
|
|
```go
|
|
|
|
```go
|
|
|
|
// Without options it will return the first 20 provisioners.
|
|
|
|
// Without options it will return the first 20 provisioners.
|
|
|
@ -98,7 +98,7 @@ key, err := client.ProvisionerKey("DmAtZt2EhmZr_iTJJ387fr4Md2NbzMXGdXQNW1UWPXk")
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
The following example shows how to create a
|
|
|
|
The following example shows how to create a
|
|
|
|
tls.Config object that can be injected into servers and clients. By default these
|
|
|
|
tls.Config object that can be injected into servers and clients. By default, these
|
|
|
|
methods will spin off Go routines that auto-renew a certificate once (approximately)
|
|
|
|
methods will spin off Go routines that auto-renew a certificate once (approximately)
|
|
|
|
two thirds of the duration of the certificate has passed.
|
|
|
|
two thirds of the duration of the certificate has passed.
|
|
|
|
|
|
|
|
|
|
|
@ -184,7 +184,7 @@ resp, err := client.Get("https://localhost:8443")
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
We will demonstrate the mTLS configuration in a different example. In this
|
|
|
|
We will demonstrate the mTLS configuration in a different example. In this
|
|
|
|
examplefor we will configure the server to only verify client certificates
|
|
|
|
example for we will configure the server to only verify client certificates
|
|
|
|
if they are provided.
|
|
|
|
if they are provided.
|
|
|
|
|
|
|
|
|
|
|
|
To being with let's start the Step CA:
|
|
|
|
To being with let's start the Step CA:
|
|
|
@ -226,7 +226,7 @@ If you'd like to turn off curl's verification of the certificate, use
|
|
|
|
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
|
|
|
|
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
|
|
|
|
```
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
Now lets use the root certificate generated for the Step PKI. It should work.
|
|
|
|
Now let's use the root certificate generated for the Step PKI. It should work.
|
|
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
```sh
|
|
|
|
certificates $ curl --cacert examples/pki/secrets/root_ca.crt https://localhost:8443
|
|
|
|
certificates $ curl --cacert examples/pki/secrets/root_ca.crt https://localhost:8443
|
|
|
@ -236,7 +236,7 @@ Hello nobody at 2018-11-03 01:49:25.66912 +0000 UTC!!!
|
|
|
|
Notice that in the response we see `nobody`. This is because the server did not
|
|
|
|
Notice that in the response we see `nobody`. This is because the server did not
|
|
|
|
detected a TLS client configuration.
|
|
|
|
detected a TLS client configuration.
|
|
|
|
|
|
|
|
|
|
|
|
But if we create a client with it's own certificate (generated by the Step CA),
|
|
|
|
But if we create a client with its own certificate (generated by the Step CA),
|
|
|
|
we should see the Common Name of the client certificate:
|
|
|
|
we should see the Common Name of the client certificate:
|
|
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
```sh
|
|
|
@ -304,7 +304,7 @@ We can use the bootstrap-server to demonstrate certificate rotation. We've
|
|
|
|
added a second provisioner, named `mike@smallstep.com`, to the CA configuration.
|
|
|
|
added a second provisioner, named `mike@smallstep.com`, to the CA configuration.
|
|
|
|
This provisioner is has a default certificate duration of 2 minutes.
|
|
|
|
This provisioner is has a default certificate duration of 2 minutes.
|
|
|
|
Let's run the server, and inspect the certificate. We can should be able to
|
|
|
|
Let's run the server, and inspect the certificate. We can should be able to
|
|
|
|
see the certificate rotate once approximately 2/3rds of it's lifespan has passed.
|
|
|
|
see the certificate rotate once approximately 2/3rds of its lifespan has passed.
|
|
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
```sh
|
|
|
|
certificates $ export STEPPATH=examples/pki
|
|
|
|
certificates $ export STEPPATH=examples/pki
|
|
|
@ -320,7 +320,7 @@ The exact formula is `<duration>-<duration>/3-rand(<duration>/20)` (`duration=12
|
|
|
|
in our example).
|
|
|
|
in our example).
|
|
|
|
|
|
|
|
|
|
|
|
We can use the following command to check the certificate expiration and to make
|
|
|
|
We can use the following command to check the certificate expiration and to make
|
|
|
|
sure the certificate changes after 74-80 seconds.
|
|
|
|
sure the certificate changes after 74-80 seconds.
|
|
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
```sh
|
|
|
|
certificates $ step certificate inspect --insecure https://localhost:8443
|
|
|
|
certificates $ step certificate inspect --insecure https://localhost:8443
|
|
|
|