58 lines
1.6 KiB
Markdown
58 lines
1.6 KiB
Markdown
# Distribution du Root CA Step-CA
|
|
|
|
Ce guide explique comment installer le certificat racine Step-CA sur tous les appareils pour que TLS fonctionne avec la PKI interne.
|
|
|
|
---
|
|
|
|
## Pré-requis
|
|
|
|
- Le certificat racine est récupéré depuis `step_ca_primary` (pi1) : `/home/step/.step/certs/root_ca.crt`
|
|
- Les machines cibles sont :
|
|
- pi1, pi2, pi3 (Raspbian / Debian)
|
|
- localhost (Mac)
|
|
|
|
---
|
|
|
|
## 1. Copier le certificat sur les RPi
|
|
|
|
```bash
|
|
scp pi1:/home/step/.step/certs/root_ca.crt /tmp/root_ca.crt
|
|
````
|
|
|
|
Puis sur chaque Pi (idempotent) :
|
|
```bash
|
|
for pi in pi1 pi2 pi3
|
|
do
|
|
ssh $pi "sudo cp /home/step/.step/certs/root_ca.crt /usr/local/share/ca-certificates/arcodange-root.crt && sudo chmod 644 /usr/local/share/ca-certificates/arcodange-root.crt && sudo update-ca-certificates"
|
|
ssh $pi 'sudo apt install -y libnss3-tools && certutil -d sql:/home/pi/.pki/nssdb -A -t "C,," -n "arcodange-root" -i /usr/local/share/ca-certificates/arcodange-root.crt'
|
|
done
|
|
```
|
|
|
|
Vérification rapide sur chaque Pi :
|
|
```bash
|
|
ssh pi1 "sudo openssl verify /usr/local/share/ca-certificates/arcodange-root.crt"
|
|
ssh pi2 "sudo openssl verify /usr/local/share/ca-certificates/arcodange-root.crt"
|
|
ssh pi3 "sudo openssl verify /usr/local/share/ca-certificates/arcodange-root.crt"
|
|
```
|
|
|
|
---
|
|
|
|
## 2. Copier le certificat sur Mac (localhost)
|
|
|
|
```bash
|
|
scp pi1:/home/step/.step/certs/root_ca.crt /tmp/root_ca.crt
|
|
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/root_ca.crt
|
|
```
|
|
|
|
Vérification :
|
|
```bash
|
|
security verify-cert -c /tmp/root_ca.crt
|
|
```
|
|
|
|
---
|
|
|
|
## 3. Redémarrer les services TLS si nécessaire
|
|
|
|
Sur les RPi (optionnel, si vous utilisez Docker, containerd ou k3s) :
|
|
|
|
```bash |