diff --git a/posts/internalca/index.md b/posts/internalca/index.md index 12efbde..533208e 100644 --- a/posts/internalca/index.md +++ b/posts/internalca/index.md @@ -16,14 +16,14 @@ That's it. And since I have friends that like to do very smart pranks involving MITM attacks, I want to protect myself (and my passwords, as long as they might be) from them...... -Ok I may be the "friend" that play these pranks but I always ask for their consent! +Ok I may be the "friend" that does these pranks but I always ask for their consent! Jokes aside, we will use [step-ca](https://smallstep.com/docs/step-ca) as it's lightweight, easy to deploy and it just works. ## Machine I have deployed my instance on a separate LXC on proxmox: -- OS: Debian (I used Buster but chose what you want) +- OS: Debian - CPU: 1 - RAM: 2G (Might be overkill, but I have loads of RAM) - Storage: 15 GB (Bit too much, but I don't care) @@ -46,7 +46,7 @@ wget https://dl.step.sm/gh-release/certificates/gh-release-header/v0.21.0/step-c sudo dpkg -i step-ca_0.21.0_amd64.deb ``` -`step-ca` can be setup as a systemd service, but instead of copy pasting their instructions like a moron, I'll just tell you to follow them [here](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon). +`step-ca` can be setup as a systemd service, but instead of copy-pasting their instructions like a moron, I'll just tell you to follow them [here](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon). There are a lot of steps so please be sure to read the instructions carefully. ## Configuration @@ -57,15 +57,15 @@ You might want to continue reading this though as we'll see how to setup the ACM ### ACME server ? -Come on, you've probably already heard about that; ever heard of _Let's Encrypt_ ? Maybe their _certbot_ script ? Well, it can requests certs as an ACME client. +Come on, I'm pretty sure that you've already heard about it; does _Let's Encrypt_ ring any bell ? Maybe their _certbot_ script ? Well, it can request certs as an ACME client. If you love reading documentations, go ahead and do so [here](https://letsencrypt.org/docs/client-options/). -TLDR: deploying an ACME server on you CA will allow you to requests cetrificates for your local services using scripts like certbot or even [Traefik](https://traefik.io/) (and we'll even talk about this later on). +**TLDR**: deploying an ACME server on your CA will allow you to request certificates for your local services using `certbot` or [Traefik](https://traefik.io/) (and we'll even talk about this later on) for example. ### I'm sold, show me the magic I knew you'd like it! -Setting up the server isn't that hard, you'll need to add an ACME provisionner: +Setting up the server isn't hard at all, you'll just need to add an ACME provisionner: ```sh step ca provisioner add acme --type ACME ``` @@ -78,7 +78,7 @@ You can try to request a certificate from your ACME server with: ```sh step ca certificate --provisioner acme ``` -Please note that this last command might not work if you already have a service listening on port 80 as the `step` command. +Please note that this last command might not work if you already have a service listening on port 80 as it launches a web server. ## Actual usage