step-ca configuration
The step-ca is the core component of the Anapaya SCION CA. It is configured as a systemd service and provides the main certificate authority functionality. Consult the step-ca documentation for more details on its configuration and usage that go beyond the scope of this document.
Use the quick reference to get an overview of important files and commands.
Configuration
The step-ca configuration is primarily managed through the /etc/scion-ca/step/config/ca.json file.
However, during the installation process, remote provisioner
management is
enabled, which moves the provisioner configuration to the database instead of keeping in the file.
This allows having multiple step-ca instances without needing to synchronize the configuration file
across them.
The step-ca-rotator service is responsible for managing parts of the configuration file. In
particular, fields related to the intermediate CA certificate and the key are updated by the
step-ca-rotator. The step-ca-rotator informs the step-ca about configuration changes by sending a
SIGHUP signal. The relevant fields are:
crt: The path to the intermediate CA certificate file. The step-ca-rotator simply replaces the file with the new certificate. It does not modify thecrtfield in the configuration file.key: The resource identifier of the intermediate CA key in Cloud KMS. The step-ca-rotator updates this field with the new key version after a successful rotation.
For a more detailed explanation of the step-ca configuration, refer to the step-ca documentation. To learn more about configuring Cloud KMS, refer to the cryptographic protection documentation.
Quick reference
Files and directories
| Path | Description |
|---|---|
/etc/scion-ca/step | Directory containing step-ca configuration and data |
/etc/scion-ca/step/certs | Directory containing step-ca configuration and data |
/etc/scion-ca/step/certs/intermediate_ca.crt | Intermediate CA certificate file (provisioned by step-ca-rotator) |
/etc/scion-ca/step/certs/root_ca.crt | Root CA certificate file (provisioned by operator) |
/etc/scion-ca/step/config/ca.json | Main configuration file for step-ca (modified by step-ca-rotator) |
/etc/scion-ca/step/secrets/credentials.json | File storing the credentials for step-ca |
/etc/scion-ca/step/templates/step-ca-adapter.json | X.509 template for the step-ca-adapter provisioner |
/etc/systemd/system/step-ca.service | Systemd unit file to manage the step-ca service |
Commands
| Command | Description |
|---|---|
sudo systemctl start step-ca | Start the step-ca service |
sudo systemctl stop step-ca | Stop the step-ca service |
sudo systemctl restart step-ca | Restart the step-ca service |
sudo systemctl status step-ca | Check the status of the step-ca service |
sudo journalctl -u step-ca | View the logs for the step-ca service |
step ca provisioner <cmd> | Manage step-ca provisioners |