I recently setup a private CA, i.e. certificate authority, using Step CA. Here are a few things I learnt:

  • Step CA generates the following at the start:
    • Root certificate and corresponding private key.
      • Former should be distributed to required client devices.
      • Latter is super-secret and should ideally be kept offline.
    • Intermediate certificate and corresponding private key.
      • Latter is a secret but not super-secret and supposed to be kept online.
      • These two are used to generate the end certificates that services should use. These certificates will have short expiry (such as 1 to 90 days).
      • If compromised, can be thrown away and a new {certificate, private-key} pair can be generated using the root pair.
  • The {certificate, private-key} pair generates new certificates that are used by the service. On the client side, the chain of trust, all the way back to the root certificate, allows it to setup a proper TLS connection with the service.

Why Step CA and not regular X.509 certificates?

  • The latter would be static whereas the former creates short-lived certificates. Otherwise, both would have worked with Traefik which is the reverse proxy I use.