How do I start up a step-ca server using contexts?

[dkowis]

I am using the docker container in this case... And maybe that's the difficult part.
I'm trying to have multiple named contexts for my certificates. So I can provide limited authentication ones, say for remote docker TLS auth, but also have SSL certs on services, delivered by acme in both cases.

So that means I'd have two contexts:

• docker
• services

I did the init by hand using --context services and it seems to have done the right thing:

❯ tree step/
step/
├── authorities
│   └── services
│       ├── certs
│       │   ├── intermediate_ca.crt
│       │   └── root_ca.crt
│       ├── config
│       │   ├── ca.json
│       │   └── defaults.json
│       ├── db
│       │   ├── 000000.vlog
│       │   ├── 000002.sst
│       │   ├── KEYREGISTRY
│       │   ├── LOCK
│       │   └── MANIFEST
│       ├── secrets
│       │   ├── intermediate_ca_key
│       │   ├── password
│       │   └── root_ca_key
│       └── templates
├── contexts.json
├── current-context.json
└── profiles
    └── services
        └── config
            └── defaults.json

10 directories, 15 files

I've extrapolated that the CA password needs to be in step/authorities/services/secrets/password, but I'm not sure on that.

I also can't figure out how to start the actual server.

The documents for contexts doesn't quite spell out what happens if you "add" contexts to an existing one, other than to indicate that there's an "unnamed" context and it is not affected when you add contexts.

Should I just have a "default" context and then create additional contexts as I need/want them, instead of starting with contexts?

If I do start with contexts, how do I tell the server to start in a specific context? I assume also that using the step context command allows you to switch contexts, so I won't have to run 7 different step-ca servers to serve up 7 different Root CAs for different purposes, I think, right?

Thanks for everything!

[dkowis]

Ohh, maybe I've figured out the right incantation:

docker run -t -p 9000:9000 -v (pwd)/step:/home/step smallstep/step-ca step-ca --password-file ./authorities/services/secrets/password

I don't know what will happen when I set up another context... is there a context config that tells it where the password file is per-context?

[dkowis]

Okay, so the more I'm reading, if I want to have multiple certificate authorities, I have to run many step-ca because I cannot tell the server to switch contexts and use a different CA. That makes sense I think.

[dkowis]

So the answer for the step-ca server is not to use contexts, that's not the right way to organize certificates.

[tashian]

Hi @dkowis, that's correct. step-ca is designed for use cases where there's a single root. If you find you're needing to run several CAs for different roots, you may be better served by our commercial product, which can be cloud hosted or run on-prem.