Photo by Bruno Nascimento on Unsplash

Certificate and Identity Management with Step

I recently posted about setting up a secure connection between an AspNetCore API and a RabbitMQ service. As part of that, I needed to create certificates for local development using the tls-gen tools.

As an alternative to tls-gen, Anthony Attwood pointed me to the step cli, described on the website as

… an Open Source command-line tool for developers, operators, and security professionals to configure, operate, and automate the smallstep toolchain and open standard identity technologies.

Installing

On macOS, with brew installed, installation a one liner (see here for other platforms) —

> brew install step

What can step do?

There are numerous examples on the step website of what the cli can do, but as an example, to grab an OAuth Bearer token for Google, just open a terminal and type —

> step auth --header

This will open the Google Identity provider, allowing you to sign in and, if successful, you’ll see the Authorisation header dumped to the console —

Authorization: Bearer xxxaaazzz

In the example on the website, the above call is then wrapped into a curl call to access a Google API — the scripting possibilities are pretty much endless.

The full command reference is here and contains detailed help on all the cli commands and options.

But wait, there’s more!

The step cli can do pretty much everything you need with regards to certificate and identity management. Here are a few examples, but do check out the website for the full documentation.

Create TLS certificates (including from Let’s Encrypt)

> step ca certificate foo.local foo.crt foo.key

Running the above command will start an interactive prompt to help you configure the certificate for your needs. By default, the step cli will talk to a step-ca deamon (see here for step-ca documentation). But since step is a full fledge ACME client, you can point it to any ACME server of your choice.

For example, to create a certificate from Let’s Encrypt, you can use the following command —

> step ca certificate mydomain.com mydomain.com.crt mydomain.com.key --acme https://acme-v02.api.letsencrypt.org/directory

More documentation on this is here.

Inspect a certificate file

> step certificate inspect --short --bundle foo.crt

Note that the --short and --bundle aren’t necessary, but the output is a little more digestible. For the raw dump, just remove them.

Inspect a website certificate

This is similar to above, but rather than a local file, you can just pass step the url of the website you want to pull the certificate from (note, needs to be an SSL encrypted site, obviously :D)

> step certificate inspect --short --bundle {url}

For example,

> step certificate inspect — short — bundle https://google.com

will dump the Google certificate information.

Install root certificates

Once you have your certificates, step also helps you install them —

> step certificate install root.crt

Inspect a JWT

This one is pretty cool — if you have a JWT toke, you pass it directly to step and it will validate the content and allow you to inspect the properties (that --insecure switch is needed, see here for details)

> step crypto jwt inspect --insecure {JWT Token}

Conclusion

There are plenty of different tools for working with certificates, but step is certainly a bit of a swiss army knife of identity managment. Give it a go the next time you need to work with certificates!