diff --git a/step-ca/installation.mdx b/step-ca/installation.mdx index f9b5a124..6b370715 100644 --- a/step-ca/installation.mdx +++ b/step-ca/installation.mdx @@ -22,7 +22,7 @@ Learn how to to install the `step-ca` binary on your local machine. - [Winget Package](#winget-package) - [Scoop Package](#scoop-package) - [Linux Packages](#linux-packages-amd64) - - [Debian](#debian) + - [Debian/Ubuntu](#debian-ubuntu) - [Arch Linux](#arch-linux) - [RedHat](#redhat) - [Alpine Linux](#alpine-linux) @@ -81,7 +81,7 @@ To uninstall, run `scoop uninstall`, then remove the configuration directory `$H -#### Debian +#### Debian/Ubuntu To install `step`, download and install the Debian package for your platform from our [latest release](https://github.com/smallstep/cli/releases/latest): diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx index 88eb746f..0ad0bc9f 100644 --- a/step-ca/provisioners.mdx +++ b/step-ca/provisioners.mdx @@ -482,7 +482,7 @@ To remove this key: Sometimes it's useful to issue certificates to people. So `step-ca` supports single sign-on with identity providers (IdPs) like Google, Okta, Azure Active Directory, Keycloak, -or any other provider that supports OAuth's [OpenID Connect extension](https://openid.net/connect/).. +or any other provider that supports OAuth's [OpenID Connect extension](https://openid.net/connect/). OpenID Connect is an extension to OAuth 2.0 that adds an identity layer. Providers that support OIDC can issue identity tokens ("ID tokens") to OAuth clients. @@ -621,9 +621,11 @@ see the [claims](configuration.mdx#claims) section for all the options. #### Browserless Console Mode -Sometimes it's helpful to use OAuth in an input-constrained environment where a web browser is not available. -The Device Authorization Grant flow is an OAuth 2.0 extension designed for this scenario. -The `step-ca` OIDC provisioner supports the Device Authorization Grant flow. +For OpenID Connect, by default, `step` opens a web browser to run the Authorization Code flow with PKCE. + +Sometimes it's helpful to use OAuth in an input-constrained environment where no web browser is available. +The Device Authorization Grant flow (aka "Device Flow") is an OAuth 2.0 extension designed for this scenario. +The `step` client supports the Device Authorization Grant flow. To use the Device Authorization Grant flow for input-constrained devices, run: @@ -631,11 +633,10 @@ To use the Device Authorization Grant flow for input-constrained devices, run: $ step ca certificate foo foo.crt foo.key --console ``` -To specify a flow other than the default (for example Google's deprecated Out of Band flow), run: +or ```shell-session -$ STEP_CONSOLE_FLOW=oob step ca certificate foo foo.crt foo.key --console -``` +$ STEP_CONSOLE=true step ssh certificate carl carl.crt #### Notes @@ -872,16 +873,22 @@ The ACME provisioner in `step-ca` supports issuing X.509 certificates using IP, Add an ACME provisioner: ```shell -step ca provisioner add acme --type ACME +step ca provisioner add acme-example --type ACME ``` -An example of an ACME provisioner in the `ca.json`: +This will add an ACME server to step-ca. +ACME clients are commonly configured with an **ACME directory URL**. +If your CA is hosted at `ca.internal`, and you run the above command, your ACME server directory URL will be `https://ca.internal/acme/acme-example/directory`. + +To configure popular ACME clients to use `step-ca`, see [our tutorial on the subject](https://smallstep.com/docs/tutorials/acme-protocol-acme-clients/). + +Here's an example of an ACME provisioner configuration in `ca.json`: ```json ... { "type": "ACME", - "name": "acme", + "name": "acme-example", "forceCN": true, "claims": { "maxTLSCertDuration": "8h", @@ -972,6 +979,7 @@ step ca provisioner add acme-da \ In your Apple MDM profile, you will need: * A [`CertificateRoot`](https://developer.apple.com/documentation/devicemanagement/certificateroot) payload, containing your root CA certificate PEM block, so that it's trusted by the device. * An [`ACMECertificate`](https://developer.apple.com/documentation/devicemanagement/acmecertificate) payload. For this one, set the `ClientIdentifier` to the UDID or serial number of the device. +* Set `HardwareBound` to `true` ##### Device Attestation for YubiKeys diff --git a/step-cli/installation.mdx b/step-cli/installation.mdx index 6d5f2b91..b76bc274 100644 --- a/step-cli/installation.mdx +++ b/step-cli/installation.mdx @@ -21,7 +21,7 @@ It's trivial to install the `step` binary on your local machine. - [macOS](#macos) - [Linux Packages](#linux-packages-amd64) - - [Debian](#debian-linux) + - [Debian](#debian-ubuntu) - [Arch Linux](#arch-linux) - [RedHat](#redhat) - [Alpine Linux](#alpine-linux) @@ -43,7 +43,7 @@ To uninstall, run `brew uninstall step` and remove the `$HOME/.step` configurati ### Linux Packages (amd64) -#### Debian Linux +#### Debian/Ubuntu Download and install the Debian package from our [latest release](https://github.com/smallstep/cli/releases/latest):