Smallstep Certificate Manager Basic Certificate Operations

In this documentation, we will explore basic certificate operations using the step command-line tool. step acts as a front-end interface to certificate manager and is used for many common crypto and X.509 operations. This tutorial covers:

  1. Creating a certificate
  2. Inspecting a certificate
  3. Renewing a certificate
  4. Revoking a certificate

Before you begin

This tutorial assumes you have created a Smallstep Team and a Certificate Manager Authority using the steps in Getting Started.

step 1 - Create a test certificate

With an Authority created and your local client configured, you can create a test certificate by running the step ca certificate command. Here is an example:

$ step ca certificate myservice myservice.crt myservice.key --san myservice.internal.mycompany.net --not-after 24h

In this command, we are asking the CA to create a certificate with the following properties

  • myservice - The certificate's subject
  • myservice.crt - Save the certificate in a file with this name
  • myservice.key - Save the key in a file with this name
  • --san myservice.internal.mycompany.net - Add an additional SAN to the certificate, with the specified value
  • --not-after 24h - Set the certificate to expire after 24 hours

When you run this command, it will envoke the authority-admin provisioner and start a single sign-on flow via the smallstep dashboard. After a successful sign-in, the authority will issue the certificate.

Step 2 - Inspect a test certificate

You can inspect your certificate by running:

$ step certificate inspect --short myservice.crt

It should look similar to this.

X.509v3 TLS Certificate (ECDSA P-256) [Serial: 2441...2018]
  Subject:     myservice
               admin@yourco.com
               https://auth.smallstep.com#98496ed4-7f27-4367-b7a2-ef828e0a4eda
  Issuer:      Dev Intermediate CA
  Provisioner: authority-admin [ID: 909d...8521]
  Valid from:  2021-10-04T21:30:12Z
          to:  2021-10-05T21:31:12Z

step 3 - renew a certificate

Certificates expire. Certificate Manager makes renewing a certificate ahead of expiration easy. Renewals are authenticated using your existing certificate and produce an identical certificate with a new serial number and extended lifetime. The private key is unchanged.

In its most primitive form, renewal is a simple single-command operation:

$ step ca renew myservice.crt myservice.key

More than a dozen command-line flags make step ca renew flexible and easy to integrate into almost any operational environment.

Inspect your certificate again, and you will see it has an extended lifetime.

$ step certificate inspect --short myservice.crt
X.509v3 TLS Certificate (ECDSA P-256) [Serial: 2441...2018]
  Subject:     myservice
               admin@yourco.com
               https://auth.smallstep.com#98496ed4-7f27-4367-b7a2-ef828e0a4eda
  Issuer:      Dev Intermediate CA
  Provisioner: authority-admin [ID: 909d...8521]
  Valid from:  2021-10-04T21:32:34Z
          to:  2021-10-05T21:33:34Z

step 4 - revoke a certificate

Certificate Manager DevOps Authorities use passive revocation and short-lived certificates by default. To passively revoke a certificate means to block its renewal at the CA.

Passive revocation eliminates the complexity, network overhead, and client latency of running Certificate Revocation List (CRL) and Online Certificate Signing Protocol (OCSP), which are required for active revocation. The tradeoff is, certificates issued with passive revocation cannot be immediately revoked.

Passive revocation is a good fit for many internal PKIs. With this model, certificates should have short lifetimes to limit the value of a key that has been exfiltrated. And short-lived certificates encourage certificate automation and on-demand workflows.

If your security model demands active revocation, Certificate Manager Advanced Authorities support CRL and OCSP. Advanced Authorities use a pull model to implement OCSP and CRL: A revocation service periodically queries the CA for revoked certificates and builds a CRL, which is signed and shipped to a cloud bucket. OCSP responses are built, signed, and served on-demand.

Whether you're using passive or active revocation, the process for revoking a certificate is the same.

To revoke a certificate, run the following operation.

$ step ca revoke --cert=myservice.crt --key=myservice.key
✔ CA: https://your.authority.ca.smallstep.com
Certificate with Serial Number 215963883671773554731824269659406308792 has been revoked.

Upon expiry, this certificate will no longer be valid. If you try to renew the certificate, it will fail.

$ step ca renew myservice.crt myservice.key
error renewing certificate: The request lacked necessary authorization to be completed. Please see the certificate authority logs for more info.

Next Steps

  • You've now mastered the art of basic certificate operations. It's time to explore customizing certificates.
  • Ready to dive into a specific technology? Check out our practical zero trust project. It provides step-by-step instructions for configuring TLS for popular technologies in Linux, Docker, and Kubernetes.