{"title":"Run a private online TLS certificate authority in a Docker container","byline":null,"dir":null,"lang":null,"content":"<div id=\"readability-page-1\" class=\"page\"><div><p>This guide will illustrate how to run open source <code>step-ca</code> inside a Docker container.\nAs an example, you will send secure communications between a standalone webserver and curl.</p>\n<h2 id=\"about-this-tutorial\">About this tutorial<a href=\"#about-this-tutorial\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h2>\n<ul>\n<li>Learn how to Bootstrap and run a private X.509 online Certificate Authority in a Docker container.</li>\n<li>Estimated effort: Reading time ~4 mins, Lab time ~20 to 60 mins.</li>\n</ul>\n\n<h2 id=\"overview\">Overview<a href=\"#overview\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h2>\n<ul>\n<li><a href=\"https://smallstep.com/docs/tutorials/docker-tls-certificate-authority/#quickstart\">Quickstart</a></li>\n<li><a href=\"https://smallstep.com/docs/tutorials/docker-tls-certificate-authority/#manual-installation\">Manual installation</a></li>\n<li><a href=\"https://smallstep.com/docs/tutorials/docker-tls-certificate-authority/#setting-up-a-development-environment\">Setting Up a Development Environment</a></li>\n</ul>\n<h2 id=\"requirements\">Requirements<a href=\"#requirements\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h2>\n<ul>\n<li><strong>Open source -</strong> To interact with <code>step-ca</code>, you'll want to install the <code>step</code> client in your host environment. See our <a rel=\"nofollow\" href=\"https://smallstep.com/docs/step-cli/installation\">installation docs</a>.</li>\n</ul>\n<h2 id=\"quickstart\">Quickstart<a href=\"#quickstart\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h2>\n<p>On your Docker host, run:</p>\n<section><code><pre>docker run -d -v step:/home/step \\\n    -p 9000:9000 \\\n    -e \"DOCKER_STEPCA_INIT_NAME=Smallstep\" \\\n    -e \"DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)\" \\\n    smallstep/step-ca\n</pre></code></section>\n<p>The following environment variables are available for CA configuration:</p>\n<ul>\n<li><code>DOCKER_STEPCA_INIT_NAME</code> (<strong>required</strong>) the name of your CA—this will be the issuer of your CA certificates</li>\n<li><code>DOCKER_STEPCA_INIT_DNS_NAMES</code> (<strong>required</strong>) the hostname(s) or IPs that the CA will accept requests on</li>\n<li><code>DOCKER_STEPCA_INIT_PROVISIONER_NAME</code> a label for the initial admin (JWK) provisioner. Default: \"admin\"</li>\n<li><code>DOCKER_STEPCA_INIT_SSH</code> set this to a non-empty value to create an SSH CA</li>\n<li><code>DOCKER_STEPCA_INIT_PASSWORD</code>  specify a password for the encrypted CA keys and the default CA provisioner. A password is generated by default. Note: In a production environment, a more secure option for specifying a password is to use the manual installation process, below.</li>\n</ul>\n<p>Once <code>step-ca</code> is running, the CA's URL and SHA256 fingerprint are all clients need to bootstrap with the CA.</p>\n<p>Let's bootstrap the <code>step</code> client. Run:</p>\n<section><code><pre>{\n  CA_FINGERPRINT=$(docker run -v step:/home/step smallstep/step-ca step certificate fingerprint certs/root_ca.crt)\n  step ca bootstrap --ca-url https://localhost:9000 --fingerprint $CA_FINGERPRINT\n}\n</pre></code></section>\n<p>Output:</p>\n<section><code><pre>The root certificate has been saved in /Users/alice/.step/certs/root_ca.crt.\nYour configuration has been saved in /Users/alice/.step/config/defaults.json.\n</pre></code></section>\n<p>Your CA is ready for use. You can view your CA password via:</p>\n<section><code><pre>docker run -v step:/home/step smallstep/step-ca cat secrets/password\n</pre></code></section>\n<h2 id=\"manual-installation\">Manual installation<a href=\"#manual-installation\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h2>\n<h3 id=\"1-pull-down-the-docker-image\">1. Pull down the Docker image<a href=\"#1-pull-down-the-docker-image\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<p>Get the latest version of <code>step-ca</code></p>\n<section><code><pre>docker pull smallstep/step-ca\n</pre></code></section>\n<h3 id=\"2-bring-up-pki-bootstrapping-container\">2. Bring up PKI bootstrapping container<a href=\"#2-bring-up-pki-bootstrapping-container\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<p>The Docker volume <code>step</code> will hold your CA configuration, keys, and database.</p>\n<section><code><pre>docker run -it -v step:/home/step smallstep/step-ca step ca init\n</pre></code></section>\n<p>The init command will step you through the bootstrapping process. Example output:</p>\n<section><code><pre>✔ What would you like to name your new PKI? (e.g. Smallstep): Smallstep\n✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost\n✔ What address will your new CA listen at? (e.g. :443): :9000\n✔ What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): admin@smallstep.com\n✔ What do you want your password to be? [leave empty and we'll generate one]:\n\nGenerating root certificate...\nall done!\n\nGenerating intermediate certificate...\nall done!\n\n✔ Root certificate: /home/step/certs/root_ca.crt\n✔ Root private key: /home/step/secrets/root_ca_key\n✔ Root fingerprint: 86a278f34e58c7ab04313aff0e8e5114f1d1da955ecb20412b3d32cc2267ddcd\n✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt\n✔ Intermediate private key: /home/step/secrets/intermediate_ca_key\n✔ Database folder: /home/step/db\n✔ Default configuration: /home/step/config/defaults.json\n✔ Certificate Authority configuration: /home/step/config/ca.json\n\nYour PKI is ready to go. To generate certificates for individual services see 'step help ca'.\n</pre></code></section>\n<p><strong>Save the root fingerprint value</strong>! You'll need it for client bootstrapping.</p>\n<h3 id=\"3-place-the-pki-root-password-in-a-known-safe-location\">3. Place the PKI root password in a known safe location.<a href=\"#3-place-the-pki-root-password-in-a-known-safe-location\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<p>The image is expecting the password to be placed in <code>/home/step/secrets/password</code>. Bring up the shell prompt in the container again and write that file:</p>\n<section><code><pre>docker run -it -v step:/home/step smallstep/step-ca sh\n</pre></code></section>\n<p><strong>Inside your container</strong>, write the file into the expected location:</p>\n<section><code><pre> echo \"&lt;your password here&gt;\" &gt; /home/step/secrets/password\n</pre></code></section>\n<p>Your CA is configured and ready to run.</p>\n<h3 id=\"4-start-step-ca\">4. Start <code>step-ca</code><a href=\"#4-start-step-ca\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<p>The CA runs an HTTPS API on port 9000 inside the container. Expose the server address locally and run the <code>step-ca</code> with:</p>\n<section><code><pre>docker run -d -p 9000:9000 -v step:/home/step smallstep/step-ca\n</pre></code></section>\n<p>Now, on your Docker host, bootstrap your <code>step</code> client configuration:</p>\n<section><code><pre>{\n  CA_FINGERPRINT=$(docker run  -v step:/home/step smallstep/step-ca step certificate fingerprint /home/step/certs/root_ca.crt)\n  step ca bootstrap --ca-url https://localhost:9000 --fingerprint $CA_FINGERPRINT\n}\n</pre></code></section>\n<p>Output:</p>\n<section><code><pre>The root certificate has been saved in /Users/alice/.step/certs/root_ca.crt.\nYour configuration has been saved in /Users/alice/.step/config/defaults.json.\n</pre></code></section>\n<p>Your local<code>step</code> CLI is now configured to use the container instance of <code>step-ca</code> and our new root certificate is trusted by our local environment (inserted into local trust store).</p>\n<p>Run a health check:</p>\n<section><code><pre>curl https://localhost:9000/health\n</pre></code></section>\n<p>Output:</p>\n<section><code><pre>{\"status\":\"ok\"}\n</pre></code></section>\n<h3 id=\"next-steps\">Next steps:<a href=\"#next-steps\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<ul>\n<li>See our <a rel=\"nofollow\" href=\"https://smallstep.com/docs/step-ca/basic-certificate-authority-operations\">Basic CA Operations</a> guide.</li>\n<li>See our <a rel=\"nofollow\" href=\"https://smallstep.com/docs/step-ca/configuration\">Configuration Guide</a> to learn more about tailoring <code>step-ca</code> to your infrastructure.</li>\n<li>Or, set up a development environment in the next section.</li>\n</ul>\n<h2 id=\"setting-up-a-development-environment\">Setting Up a Development Environment<a href=\"#setting-up-a-development-environment\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h2>\n<p><strong>You will need:</strong></p>\n<ul>\n<li>A Python 2.7.x interpreter to bring up a standalone webserver (optional)</li>\n</ul>\n<p>Run this section on your host machine where Docker is installed.</p>\n<p>Once you've bootstrapped your local environment, you can now run web services configured with TLS and mTLS. First, get a certificate for <code>localhost</code>:</p>\n<section><code><pre>step ca certificate localhost localhost.crt localhost.key\n</pre></code></section>\n<p>Output:</p>\n<section><code><pre>✔ Key ID: aTPGWP0qbuQdflR5VxtNouDIOXyNMH1H9KAZKP-UcHo (admin)\n✔ Please enter the password to decrypt the provisioner key:\n✔ CA: &lt;https://localhost:9000/1.0/sign&gt;\n✔ Certificate: localhost.crt\n✔ Private Key: localhost.key\n</pre></code></section>\n<p>Now save a copy of your root CA certificate:</p>\n<section><code><pre>step ca root root_ca.crt\n</pre></code></section>\n<p>Output:</p>\n<section><code><pre>The root certificate has been saved in root_ca.crt.\n</pre></code></section>\n<p>Next, let's launch a web server secured by HTTPS:</p>\n<section><code><pre>{\ncat &lt;&lt;EOF &gt; server.py\nimport BaseHTTPServer, ssl\n\nclass HelloHandler(BaseHTTPServer.BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200);\n        self.send_header('content-type', 'text/html; charset=utf-8');\n        self.end_headers()\n        self.wfile.write(b'\\\\n\\\\xf0\\\\x9f\\\\x91\\\\x8b Hello! Welcome to TLS \\\\xf0\\\\x9f\\\\x94\\\\x92\\\\xe2\\\\x9c\\\\x85\\\\n\\\\n')\n\nhttpd = BaseHTTPServer.HTTPServer(('', 8443), HelloHandler)\nhttpd.socket = ssl.wrap_socket(httpd.socket,\n                   server_side=True,\n                   keyfile=\"localhost.key\",\n                   certfile=\"localhost.crt\",\n                   ca_certs=\"root_ca.crt\")\nhttpd.serve_forever()\nEOF\n\npython server.py\n}\n</pre></code></section>\n<p>Open up another terminal to see your server running:</p>\n<section><code><pre>$ curl https://localhost:8443\n👋 Hello! Welcome to TLS 🔒✅\n\n</pre></code></section>\n\n<h3 id=\"further-reading\">Further Reading<a href=\"#further-reading\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<ul>\n<li><code>[step</code> Documentation](<a rel=\"nofollow\" href=\"https://smallstep.com/docs/step-cli\">https://smallstep.com/docs/step-cli</a>)</li>\n<li><a rel=\"nofollow\" href=\"https://smallstep.com/docs/step-cli/basic-crypto-operations\">Getting Started</a></li>\n<li><a rel=\"nofollow\" href=\"https://github.com/smallstep/cli\">GitHub Repository</a></li>\n</ul>\n<h3 id=\"troubleshooting\">Troubleshooting<a href=\"#troubleshooting\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<h3 id=\"raspberry-pi-badger-database-errors\">Raspberry Pi Badger database errors<a href=\"#raspberry-pi-badger-database-errors\"><svg stroke=\"currentColor\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\"><path d=\"M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1\" stroke-width=\"2\" stroke-linejoin=\"round\" stroke-linecap=\"round\"></path></svg></a></h3>\n<p>When you run <code>step-ca</code> on a Raspberry Pi, you might get the following error in\nyour container logs:</p>\n<section><code><pre>step-ca  | badger 2021/05/08 20:13:12 INFO: All 0 tables opened in 0s\nstep-ca  | Error opening database of Type badger with source /home/step/db: error opening Badger database: Mmap value log file. Path=/home/step/db/000000.vlog. Error=cannot allocate memory\n\n</pre></code></section>\n<p>To fix it, edit the <code>db</code> configuration block in the file <code>config/ca.json</code>.</p>\n<section><code><pre>docker run -v step:/home/step -it smallstep/step-ca vi /home/step/config/ca.json\n</pre></code></section>\n<p>Change the value of <code>badgerFileLoadingMode</code> from <code>\"\"</code> to <code>\"FileIO\"</code>.</p>\n<p>You will end up with this:</p>\n<section><code><pre>    \"db\": {\n          \"type\": \"badger\",\n          \"dataSource\": \"/home/step/db\",\n          \"badgerFileLoadingMode\": \"FileIO\"\n    },\n</pre></code></section>\n<p>Save and restart the container.</p></div></div>","textContent":"This guide will illustrate how to run open source step-ca inside a Docker container.\nAs an example, you will send secure communications between a standalone webserver and curl.\nAbout this tutorial\n\nLearn how to Bootstrap and run a private X.509 online Certificate Authority in a Docker container.\nEstimated effort: Reading time ~4 mins, Lab time ~20 to 60 mins.\n\n\nOverview\n\nQuickstart\nManual installation\nSetting Up a Development Environment\n\nRequirements\n\nOpen source - To interact with step-ca, you'll want to install the step client in your host environment. See our installation docs.\n\nQuickstart\nOn your Docker host, run:\ndocker run -d -v step:/home/step \\\n    -p 9000:9000 \\\n    -e \"DOCKER_STEPCA_INIT_NAME=Smallstep\" \\\n    -e \"DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)\" \\\n    smallstep/step-ca\n\nThe following environment variables are available for CA configuration:\n\nDOCKER_STEPCA_INIT_NAME (required) the name of your CA—this will be the issuer of your CA certificates\nDOCKER_STEPCA_INIT_DNS_NAMES (required) the hostname(s) or IPs that the CA will accept requests on\nDOCKER_STEPCA_INIT_PROVISIONER_NAME a label for the initial admin (JWK) provisioner. Default: \"admin\"\nDOCKER_STEPCA_INIT_SSH set this to a non-empty value to create an SSH CA\nDOCKER_STEPCA_INIT_PASSWORD  specify a password for the encrypted CA keys and the default CA provisioner. A password is generated by default. Note: In a production environment, a more secure option for specifying a password is to use the manual installation process, below.\n\nOnce step-ca is running, the CA's URL and SHA256 fingerprint are all clients need to bootstrap with the CA.\nLet's bootstrap the step client. Run:\n{\n  CA_FINGERPRINT=$(docker run -v step:/home/step smallstep/step-ca step certificate fingerprint certs/root_ca.crt)\n  step ca bootstrap --ca-url https://localhost:9000 --fingerprint $CA_FINGERPRINT\n}\n\nOutput:\nThe root certificate has been saved in /Users/alice/.step/certs/root_ca.crt.\nYour configuration has been saved in /Users/alice/.step/config/defaults.json.\n\nYour CA is ready for use. You can view your CA password via:\ndocker run -v step:/home/step smallstep/step-ca cat secrets/password\n\nManual installation\n1. Pull down the Docker image\nGet the latest version of step-ca\ndocker pull smallstep/step-ca\n\n2. Bring up PKI bootstrapping container\nThe Docker volume step will hold your CA configuration, keys, and database.\ndocker run -it -v step:/home/step smallstep/step-ca step ca init\n\nThe init command will step you through the bootstrapping process. Example output:\n✔ What would you like to name your new PKI? (e.g. Smallstep): Smallstep\n✔ What DNS names or IP addresses would you like to add to your new CA? (e.g. ca.smallstep.com[,1.1.1.1,etc.]): localhost\n✔ What address will your new CA listen at? (e.g. :443): :9000\n✔ What would you like to name the first provisioner for your new CA? (e.g. you@smallstep.com): admin@smallstep.com\n✔ What do you want your password to be? [leave empty and we'll generate one]:\n\nGenerating root certificate...\nall done!\n\nGenerating intermediate certificate...\nall done!\n\n✔ Root certificate: /home/step/certs/root_ca.crt\n✔ Root private key: /home/step/secrets/root_ca_key\n✔ Root fingerprint: 86a278f34e58c7ab04313aff0e8e5114f1d1da955ecb20412b3d32cc2267ddcd\n✔ Intermediate certificate: /home/step/certs/intermediate_ca.crt\n✔ Intermediate private key: /home/step/secrets/intermediate_ca_key\n✔ Database folder: /home/step/db\n✔ Default configuration: /home/step/config/defaults.json\n✔ Certificate Authority configuration: /home/step/config/ca.json\n\nYour PKI is ready to go. To generate certificates for individual services see 'step help ca'.\n\nSave the root fingerprint value! You'll need it for client bootstrapping.\n3. Place the PKI root password in a known safe location.\nThe image is expecting the password to be placed in /home/step/secrets/password. Bring up the shell prompt in the container again and write that file:\ndocker run -it -v step:/home/step smallstep/step-ca sh\n\nInside your container, write the file into the expected location:\n echo \"<your password here>\" > /home/step/secrets/password\n\nYour CA is configured and ready to run.\n4. Start step-ca\nThe CA runs an HTTPS API on port 9000 inside the container. Expose the server address locally and run the step-ca with:\ndocker run -d -p 9000:9000 -v step:/home/step smallstep/step-ca\n\nNow, on your Docker host, bootstrap your step client configuration:\n{\n  CA_FINGERPRINT=$(docker run  -v step:/home/step smallstep/step-ca step certificate fingerprint /home/step/certs/root_ca.crt)\n  step ca bootstrap --ca-url https://localhost:9000 --fingerprint $CA_FINGERPRINT\n}\n\nOutput:\nThe root certificate has been saved in /Users/alice/.step/certs/root_ca.crt.\nYour configuration has been saved in /Users/alice/.step/config/defaults.json.\n\nYour localstep CLI is now configured to use the container instance of step-ca and our new root certificate is trusted by our local environment (inserted into local trust store).\nRun a health check:\ncurl https://localhost:9000/health\n\nOutput:\n{\"status\":\"ok\"}\n\nNext steps:\n\nSee our Basic CA Operations guide.\nSee our Configuration Guide to learn more about tailoring step-ca to your infrastructure.\nOr, set up a development environment in the next section.\n\nSetting Up a Development Environment\nYou will need:\n\nA Python 2.7.x interpreter to bring up a standalone webserver (optional)\n\nRun this section on your host machine where Docker is installed.\nOnce you've bootstrapped your local environment, you can now run web services configured with TLS and mTLS. First, get a certificate for localhost:\nstep ca certificate localhost localhost.crt localhost.key\n\nOutput:\n✔ Key ID: aTPGWP0qbuQdflR5VxtNouDIOXyNMH1H9KAZKP-UcHo (admin)\n✔ Please enter the password to decrypt the provisioner key:\n✔ CA: <https://localhost:9000/1.0/sign>\n✔ Certificate: localhost.crt\n✔ Private Key: localhost.key\n\nNow save a copy of your root CA certificate:\nstep ca root root_ca.crt\n\nOutput:\nThe root certificate has been saved in root_ca.crt.\n\nNext, let's launch a web server secured by HTTPS:\n{\ncat <<EOF > server.py\nimport BaseHTTPServer, ssl\n\nclass HelloHandler(BaseHTTPServer.BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200);\n        self.send_header('content-type', 'text/html; charset=utf-8');\n        self.end_headers()\n        self.wfile.write(b'\\\\n\\\\xf0\\\\x9f\\\\x91\\\\x8b Hello! Welcome to TLS \\\\xf0\\\\x9f\\\\x94\\\\x92\\\\xe2\\\\x9c\\\\x85\\\\n\\\\n')\n\nhttpd = BaseHTTPServer.HTTPServer(('', 8443), HelloHandler)\nhttpd.socket = ssl.wrap_socket(httpd.socket,\n                   server_side=True,\n                   keyfile=\"localhost.key\",\n                   certfile=\"localhost.crt\",\n                   ca_certs=\"root_ca.crt\")\nhttpd.serve_forever()\nEOF\n\npython server.py\n}\n\nOpen up another terminal to see your server running:\n$ curl https://localhost:8443\n👋 Hello! Welcome to TLS 🔒✅\n\n\n\nFurther Reading\n\n[step Documentation](https://smallstep.com/docs/step-cli)\nGetting Started\nGitHub Repository\n\nTroubleshooting\nRaspberry Pi Badger database errors\nWhen you run step-ca on a Raspberry Pi, you might get the following error in\nyour container logs:\nstep-ca  | badger 2021/05/08 20:13:12 INFO: All 0 tables opened in 0s\nstep-ca  | Error opening database of Type badger with source /home/step/db: error opening Badger database: Mmap value log file. Path=/home/step/db/000000.vlog. Error=cannot allocate memory\n\n\nTo fix it, edit the db configuration block in the file config/ca.json.\ndocker run -v step:/home/step -it smallstep/step-ca vi /home/step/config/ca.json\n\nChange the value of badgerFileLoadingMode from \"\" to \"FileIO\".\nYou will end up with this:\n    \"db\": {\n          \"type\": \"badger\",\n          \"dataSource\": \"/home/step/db\",\n          \"badgerFileLoadingMode\": \"FileIO\"\n    },\n\nSave and restart the container.","length":7833,"excerpt":"This guide will illustrate how to run open source step-ca inside a Docker container.\nAs an example, you will send secure communications between a standalone webserver and curl.","siteName":null}