Certificate and Identity Management with Step
I recently posted about setting up a secure connection between an AspNetCore API and a RabbitMQ service. As part of that, I needed to create certificates for local development using the tls-gen tools.
As an alternative to tls-gen, Anthony Attwood pointed me to the step cli, described on the website as
… an Open Source command-line tool for developers, operators, and security professionals to configure, operate, and automate the smallstep toolchain and open standard identity technologies.
Installing
On macOS, with brew installed, installation a one liner (see here for other platforms) —
> brew install step
What can step do?
There are numerous examples on the step website of what the cli can do, but as an example, to grab an OAuth Bearer token for Google, just open a terminal and type —
> step auth --header
This will open the Google Identity provider, allowing you to sign in and, if successful, you’ll see the Authorisation header dumped to the console —
Authorization: Bearer xxxaaazzz
In the example on the website, the above call is then wrapped into a curl
call to access a Google API — the scripting possibilities are pretty much endless.
The full command reference is here and contains detailed help on all the cli commands and options.
But wait, there’s more!
The step cli can do pretty much everything you need with regards to certificate and identity management. Here are a few examples, but do check out the website for the full documentation.
Create TLS certificates (including from Let’s Encrypt)
> step ca certificate foo.local foo.crt foo.key
Running the above command will start an interactive prompt to help you configure the certificate for your needs. By default, the step
cli will talk to a step-ca
deamon (see here for step-ca documentation). But since step
is a full fledge ACME client, you can point it to any ACME server of your choice.
For example, to create a certificate from Let’s Encrypt, you can use the following command —
> step ca certificate mydomain.com mydomain.com.crt mydomain.com.key --acme https://acme-v02.api.letsencrypt.org/directory
More documentation on this is here.
Inspect a certificate file
> step certificate inspect --short --bundle foo.crt
Note that the --short
and --bundle
aren’t necessary, but the output is a little more digestible. For the raw dump, just remove them.
Inspect a website certificate
This is similar to above, but rather than a local file, you can just pass step
the url of the website you want to pull the certificate from (note, needs to be an SSL encrypted site, obviously :D)
> step certificate inspect --short --bundle {url}
For example,
> step certificate inspect — short — bundle https://google.com
will dump the Google certificate information.
Install root certificates
Once you have your certificates, step
also helps you install them —
> step certificate install root.crt
Inspect a JWT
This one is pretty cool — if you have a JWT toke, you pass it directly to step and it will validate the content and allow you to inspect the properties (that --insecure
switch is needed, see here for details)
> step crypto jwt inspect --insecure {JWT Token}
Conclusion
There are plenty of different tools for working with certificates, but step
is certainly a bit of a swiss army knife of identity managment. Give it a go the next time you need to work with certificates!