Smallstep step-ca, the open source private online certificate authority for X.509 and ACME, preinstalled and running as a service on Ubuntu 24.04 LTS by cloudimg. Every VM bootstraps its own unique CA on first boot. Issue and automate internal TLS certificates fast. Apache-2.0. 24/7 cloudimg support.
## Smallstep step-ca on Ubuntu 24.04 LTS by cloudimg
step-ca is an open source online certificate authority for secure, automated X.509 and ACME certificate management. Run your own private PKI: an internal certificate authority that issues short-lived TLS certificates to your services, devices and workloads, with full ACME support so any ACME client can request and renew certificates automatically. This image delivers step-ca 0.30.2 (with the step CLI 0.30.6) fully installed and running as a hardened systemd service as the unprivileged step user, bound to loopback at 127.0.0.1:8443. Backed by 24/7 expert support.
Unique CA per VM
On its first boot every VM generates its own random CA key and provisioner passwords and initialises a brand new certificate authority with its own root and intermediate certificates and freshly encrypted signing keys, unique to that VM. No CA material is shared between VMs or ships in the image. The generated passwords and root fingerprint are written to a protected root-only file so you can bootstrap clients immediately.
ACME and X.509
A default ACME provisioner is configured so standard ACME clients can request and renew certificates, and a password protected JWK provisioner lets you issue certificates directly with the step tool. The CA configuration, certificates and encrypted keys live on a dedicated, independently resizable Azure data disk mounted at /var/lib/step-ca.
Networking
The CA listens on loopback only by default. Open port 8443 in your network security group for the clients that need certificates, or reach the CA over an SSH tunnel (ssh -L 8443:127.0.0.1:8443 azureuser@your-vm-ip). The deployment NSG only needs port 22 for SSH administration.
Why Choose cloudimg?
* 24/7 Expert Support with guaranteed 24 hour response. Contact support@cloudimg.co.uk
* Production Ready from Launch Pre configured, security patched, and validated before publication
* Azure Native Integration Built with Azure Linux Agent, cloud init, and Gen2 Hyper V
Use Cases
Internal PKI and private certificate authority, automated TLS for microservices and devices, ACME certificate issuance and renewal, short-lived certificates for zero-trust, and a self-hosted alternative to managed CA services.
Visit www.cloudimg.co.uk/guides/step-ca-on-ubuntu-24-04-azure for the full user guide.
Smallstep and step-ca are trademarks of Smallstep Labs, Inc. cloudimg is not affiliated with or endorsed by Smallstep Labs. All trademarks are the property of their respective holders.