# Installation

## .env

- Setup `ALL_TZ` to the current timezone
- Set `ALL_RESTART_POLICY` to `unless-stopped`

## Generate Root and Intermediate CA

```shell
mkdir -p data/step-ca/home/secrets
echo 'change_it' > data/step-ca/home/secrets/password
chmod 600 data/step-ca/home/secrets/password
chown -R 1000:1000 data/step-ca/home
docker run -it --rm -v `pwd`/data/step-ca/home:/home/step smallstep/step-ca:0.15.6 step ca init --ssh --address '0.0.0.0:443' --provisioner 'admin-provisioner' --password-file 'secrets/password' --dns '127.0.0.1,localhost,pki.example.com' --name 'Example Inc.'
```

## Active Directory

- Install AD-CS as Subordinate CA
- Generate private key using the wizard
- Finish the setup
- Copy the generated csr to `data/step-ca/home/certs`
- Run on the `step-ca` container
    ```shell
    step certificate sign --profile intermediate-ca certs/ad.csr certs/root_ca.crt secrets/root_ca_key
    ```
  Note: `step` might complaint if there's an emtpy trailing line at the end of the CSR
- Copy the generated certificate on stdout AND `certs/root_ca.crt` somewhere to the AD-CS server
- Run on the AD-CS server
    ```shell
    certutil -installcert C:\cert.crt # Install the signed certificate in AD-CS
    certutil -f -dspublish C:\root.crt RootCA # Publish the root CA in AD 
    ```
- Optionally remove the root and intermediate certificates files as they now imported in the store
- Start AD-CS