diff --git a/Makefile b/Makefile
index 982287e9..093ecf62 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ Q=$(if $V,,@)
 PREFIX?=
 SRC=$(shell find . -type f -name '*.go' -not -path "./vendor/*")
 GOOS_OVERRIDE ?=
+OUTPUT_ROOT=output/
 
 # Set shell to bash for `echo -e`
 SHELL := /bin/bash
@@ -152,6 +153,70 @@ uninstall:
 
 .PHONY: install uninstall
 
+#########################################
+# Building Docker Image
+#
+# Builds a dockerfile for step by building a linux version of the step-cli and
+# then copying the specific binary when building the container.
+#
+# This ensures the container is as small as possible without having to deal
+# with getting access to private repositories inside the container during build
+# time.
+#########################################
+
+# XXX We put the output for the build in 'output' so we don't mess with how we
+# do rule overriding from the base Makefile (if you name it 'build' it messes up
+# the wildcarding).
+DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
+
+DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(2)
+DOCKER_BUILD=$Q docker build -t smallstep/$(1):latest -f docker/$(2) --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(1) .
+
+docker: docker-make docker/Dockerfile.step-ca
+	$(call DOCKER_BUILD,step-ca,Dockerfile.step-ca)
+
+docker-make:
+	mkdir -p $(DOCKER_OUTPUT)
+	$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
+
+.PHONY: docker docker-make
+
+#################################################
+# Releasing Docker Images
+#
+# Using the docker build infrastructure, this section is responsible for
+# logging into docker hub and pushing the built docker containers up with the
+# appropriate tags.
+#################################################
+
+DOCKER_TAG=docker tag smallstep/$(1):latest smallstep/$(1):$(2)
+DOCKER_PUSH=docker push smallstep/$(1):$(2)
+
+docker-tag:
+	$(call DOCKER_TAG,step-ca,$(VERSION))
+
+docker-push-tag: docker-tag
+	$(call DOCKER_PUSH,step-ca,$(VERSION))
+
+# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
+# equivalent environment
+docker-login:
+	$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
+
+.PHONY: docker-login docker-tag docker-push-tag
+
+#################################################
+# Targets for pushing the docker images
+#################################################
+
+# For all builds on the master branch, we actually build the container
+docker-master: docker
+
+# For all builds on the master branch with an rc tag
+docker-release: docker-master docker-login docker-push-tag
+
+.PHONY: docker-master docker-release
+
 #########################################
 # Debian
 #########################################
@@ -177,7 +242,6 @@ distclean: clean
 # Build statically compiled step binary for various operating systems
 #################################################
 
-OUTPUT_ROOT=output/
 BINARY_OUTPUT=$(OUTPUT_ROOT)binary/
 BUNDLE_MAKE=v=$v GOOS_OVERRIDE='GOOS=$(1) GOARCH=$(2)' PREFIX=$(3) make $(3)bin/$(BINNAME)
 RELEASE=./.travis-releases
@@ -234,7 +298,7 @@ artifacts-master:
 artifacts-release: artifacts-tag
 
 # This command is called by travis directly *after* a successful build
-artifacts: artifacts-$(PUSHTYPE)
+artifacts: artifacts-$(PUSHTYPE) docker-$(PUSHTYPE)
 
 .PHONY: artifacts-master artifacts-release artifacts
 
diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca
new file mode 100644
index 00000000..ebf5ff96
--- /dev/null
+++ b/docker/Dockerfile.step-ca
@@ -0,0 +1,18 @@
+FROM smallstep/step-cli:0.0.2-rc.17
+
+ARG CFGPATH="docker/ca.json"
+ARG BINPATH="bin/step-ca"
+
+ENV PORT=8000
+ENV CONFIGPATH="/home/step/ca.json"
+ENV PWDPATH="/home/step/secrets/password"
+
+COPY $CFGPATH $CONFIGPATH
+COPY $BINPATH "/usr/local/bin/step-ca"
+
+EXPOSE $PORT
+VOLUME ["/home/step/.step/secrets"]
+VOLUME ["/home/step/secrets"]
+STOPSIGNAL SIGTERM
+
+CMD /bin/sh -c "/usr/local/bin/step-ca $CONFIGPATH --password-file=$PWDPATH"
diff --git a/docker/ca.json b/docker/ca.json
new file mode 100644
index 00000000..193e140c
--- /dev/null
+++ b/docker/ca.json
@@ -0,0 +1,58 @@
+{
+    "root": "examples/pki/secrets/root_ca.crt",
+    "crt": "examples/pki/secrets/intermediate_ca.crt",
+    "key": "examples/pki/secrets/intermediate_ca_key",
+    "password": "password",
+    "address": ":9000",
+    "dnsNames": [
+        "localhost"
+    ],
+    "logger": {
+        "format": "text"
+    },
+    "authority": {
+        "provisioners": [
+            {
+                "name": "mariano@smallstep.com",
+                "type": "jwk",
+                "key": {
+                    "use": "sig",
+                    "kty": "EC",
+                    "kid": "DmAtZt2EhmZr_iTJJ387fr4Md2NbzMXGdXQNW1UWPXk",
+                    "crv": "P-256",
+                    "alg": "ES256",
+                    "x": "jXoO1j4CXxoTC32pNzkVC8l6k2LfP0k5ndhJZmcdVbk",
+                    "y": "c3JDL4GTFxJWHa8EaHdMh4QgwMh64P2_AGWrD0ADXcI"
+                },
+                "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiOTFVWjdzRGw3RlNXcldfX1I1NUh3USJ9.FcWtrBDNgrkA33G9Ll9sXh1cPF-3jVXeYe1FLmSDc_Q2PmfLOPvJOA.0ZoN32ayaRWnufJb.WrkffMmDLWiq1-2kn-w7-kVBGW12gjNCBHNHB1hyEdED0rWH1YWpKd8FjoOACdJyLhSn4kAS3Lw5AH7fvO27A48zzvoxZU5EgSm5HG9IjkIH-LBJ-v79ShkpmPylchgjkFhxa5epD11OIK4rFmI7s-0BCjmJokLR_DZBhDMw2khGnsr_MEOfAz9UnqXaQ4MIy8eT52xUpx68gpWFlz2YP3EqiYyNEv0PpjMtyP5lO2i8-p8BqvuJdus9H3fO5Dg-1KVto1wuqh4BQ2JKTauv60QAnM_4sdxRHku3F_nV64SCrZfDvnN2ve21raFROtyXaqHZhN6lyoPxDncy8v4.biaOblEe0N-gMpJyFZ-3-A"
+            },
+            {
+                "name": "mike@smallstep.com",
+                "type": "jwk",
+                "key": {
+                    "use": "sig",
+                    "kty": "EC",
+                    "kid": "YYNxZ0rq0WsT2MlqLCWvgme3jszkmt99KjoGEJJwAKs",
+                    "crv": "P-256",
+                    "alg": "ES256",
+                    "x": "LsI8nHBflc-mrCbRqhl8d3hSl5sYuSM1AbXBmRfznyg",
+                    "y": "F99LoOvi7z-ZkumsgoHIhodP8q9brXe4bhF3szK-c_w"
+                },
+                "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiVERQS2dzcEItTUR4ZDJxTGo0VlpwdyJ9.2_j0cZgTm2eFkZ-hrtr1hBIvLxN0w3TZhbX0Jrrq7vBMaywhgFcGTA.mCasZCbZJ-JT7vjA.bW052WDKSf_ueEXq1dyxLq0n3qXWRO-LXr7OzBLdUKWKSBGQrzqS5KJWqdUCPoMIHTqpwYvm-iD6uFlcxKBYxnsAG_hoq_V3icvvwNQQSd_q7Thxr2_KtPIDJWNuX1t5qXp11hkgb-8d5HO93CmN7xNDG89pzSUepT6RYXOZ483mP5fre9qzkfnrjx3oPROCnf3SnIVUvqk7fwfXuniNsg3NrNqncHYUQNReiq3e9I1R60w0ZQTvIReY7-zfiq7iPgVqmu5I7XGgFK4iBv0L7UOEora65b4hRWeLxg5t7OCfUqrS9yxAk8FdjFb9sEfjopWViPRepB0dYPH8dVI.fb6-7XWqp0j6CR9Li0NI-Q",
+                "claims": {
+                    "minTLSCertDuration": "60s",
+                    "defaultTLSCertDuration": "120s"
+                }
+            }
+        ]
+    },
+    "tls": {
+        "cipherSuites": [
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+        ],
+        "minVersion": 1.2,
+        "maxVersion": 1.2,
+        "renegotiation": false
+    }
+}
\ No newline at end of file