Help Setting Up Offline and Online CA with Smallstep

[DevDorrejo]

Hello,

I'm new to the world of PKI and certificate authorities, and still learning. I came across Smallstep and it seems simpler and more robust than EJBCA. I like that Smallstep uses modern certificates and solutions, avoiding legacy key algorithms that can confuse newcomers.

I need help understanding how to set up an Offline CA and an Online CA using Smallstep. At my workplace, we currently operate without encryption, so we need to set up our own CA to secure our environment. The goal is to issue certificates for our Domain Controller (Active Directory), APIs, and various web services (subdomains under the DC AD domain).

Also, I read that it's possible to use Certbot alongside Smallstep to generate certificates per subdomain/server. I'm interested in understanding how that setup works too.

Thanks in advance for your help!

[tashian]

Hi! I would suggest going through our open source docs and setting up a local CA to try out. It is indeed possible to use Certbot or another ACME client with Smallstep. We have a production considerations doc that can be helpful when it comes to safeguarding your keys (eg. setting up an offline CA).

In addition to our open source, we have commercial options that may be a much better fit for your needs. If you'd like talk with us about your needs or see a demo, feel free to reach out to us and schedule a time to talk.