mTLS using Step CA and Traefik
·1 min
I self-host Step CA alongside Traefik in my home environment. Last weekend, I tried setting up mTLS using the two for additional security.
Helpful commands:
# I got the certificate fingerprint by running the following inside the Step CA Docker container:
step certificate fingerprint certs/root_ca.crt
# Bootstrap Step CA CLI on my MacOS (which is a different device than the one that hosts the CA):
step ca bootstrap \
--ca-url https://web-server.lan:9000 \
--fingerprint=foo
# Generate a new client certificate:
step ca certificate \
ketan-ios ketan-ios.crt ketan-ios.key \
--ca-url=https://web-server.lan:9000 \
--provisioner='admin' \ # There is a command to list provisioners inside the Step CA container.
--not-after=87600h
# Convert the client cert and key into a file format that can be imported into an iOS device.
step certificate p12 ketan-ios.p12 ketan-ios.crt ketan-ios.key
With all this, I was able to connect through Curl:
curl --cert ketan-ios.crt --key ketan-ios.key https://foo