Notes **Under Construction**

Using a CNAME for a Certificate Authority abstracts it's access point from its underlying server allowing you to use a memorable URL or migrate the CA to another server later.

The below configuration will allow access from either IP, hostname, or CNAME. You adjust accordingly.

1. Modify $(step path)/config/ca.json with your host information.

json "dnsNames": [ "<LOOPBACK IP>", "<IP>", "<FQDN>", "<CNAME>" ],

1. Modify$(step path)/config/defaults.json with your host information.

json "ca-url": ["https://<IP>", "https://<FQDN>", "https://<CNAME>"],

1. Restart the step-ca service

bash sudo systemctl restart step-ca

1. Verify configuration

bash step ca health --ca-url https://<IP|FQDN|CNAME> --root <path_to_root_cert>

An ok response means your step-ca instance is now accessible via the supplied URI.

This guide walks through creating an Ubuntu cloud-init virtual machine template on Proxmox VE using Ubuntu’s official cloud images. The process builds a minimal, preconfigured base VM with the QEMU Guest Agent installed and cloud-init enabled, then converts it into a reusable template.

Using a cloud-init template allows you to rapidly provision consistent Ubuntu VMs without manual installation. Each cloned VM can be customized at deploy time (hostname, users, SSH keys, networking) while sharing the same clean base image.

1. Install image customization tools

Installs tools needed to modify offline images.

apt-get install libguestfs-tools

2. Download the Ubuntu cloud image

Download the official Ubuntu 24.04 (Noble) cloud image with cloud-init preconfigured.

wget https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img

Latest images available at https://cloud-images.ubuntu.com/

3. Inject QEMU guest agent into the image

Add the QEMU Guest Agent so Proxmox can manage power state, IP reporting, and backups.

virt-customize -a noble-server-cloudimg-amd64.img --install qemu-guest-agent

4. Create the VM shell in Proxmox

Create an empty VM definition that will become the template.

qm create 9000 --name "ubuntu-noble-cloudinit-template" --memory 2048 --net0 virtio,bridge=vmbr0

5. Rename the cloud image

Proxmox expects the .qcow2 file extension.

mv noble-server-cloudimg-amd64.img noble-server-cloudimg-amd64.qcow2

6. Import the disk into Proxmox storage

Import the cloud image into Proxmox storage for use by the VM.

qm importdisk 9000 noble-server-cloudimg-amd64.qcow2 local-lvm

7. Attach disk and enable cloud-init

Attaches the OS disk and adds the cloud-init drive.

qm set 9000 --scsihw virtio-scsi-pci --scsi0 local-lvm:vm-9000-disk-0 qm set 9000 --boot order=scsi0 qm set 9000 --ide2 local-lvm:cloudinit

8. Enable QEMU agent and serial console (recommended)

Enable guest communication and console access.

qm set 9000 --agent enabled=1 qm set 9000 --serial0 socket --vga serial0

9. Convert the VM into a template

Finalizes the VM as a reusable cloud-init template.

qm template 9000

You now have a clean Ubuntu cloud-init template ready for cloning and customization via Proxmox, Terraform, or other automation tools.

These instructions assume you already have both the root and intermediate certificates from your CA.

Create a GPO to Deploy the Certificates

1. Open the Group Policy Object Editor
2. Right-click on Group Policy Objects for the desired domain and click New. Name the GPO something descriptive like "Deploy Root and Intermediate Certificates".

Add the Root Certificate

1. Right-Click on Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities and select "Import"
2. Browse to your intermediate certificate and click "Next".

Add the Intermediate Certificate

1. Right-click on Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities and select "Import"
2. Browse to your intermediate certificate and click "Next".

Link the GPO

1. Close the GPO and Right-click on the domain or OU you wish to deploy the certificate to and select "Link and existing GPO" then choose the GPO you just created.

You can now either wait for group policy to update or run "gpupdate /force" on clients.

1. Install Prerequisites and step-ca Packages

Install required system tools, add the Smallstep APT repo, and install step-ca and step-cli.

apt-get update && apt-get install -y --no-install-recommends curl gpg ca-certificates curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \ echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \ | tee /etc/apt/sources.list.d/smallstep.list apt-get update && apt-get -y install step-cli step-ca

2. Initialize the Certificate Authority

Run the interactive initialization to generate CA keys, certificates, and config.

step ca init

Review the available options in the official guide:
https://smallstep.com/docs/step-ca/getting-started/

step ca provisioner add acme --type ACME

3. Verify step-ca Can Bind to Privileged Ports

Grant permission to bind to ports below 1024 and test startup.

sudo setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca) step-ca

4. Create a Dedicated System User

Create a locked-down system user to run the CA service.

sudo useradd --system --home /etc/step-ca --shell /bin/false step

5. Set Capabilities for step-ca Binary

Reapply the capability to ensure it persists for the service.

sudo setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)

6. Move CA Data to a System Location

Create the target directory and move the generated CA files.

sudo mkdir /etc/step-ca && sudo mv $(step path)/* /etc/step-ca

7. Fix Ownership and Permissions

Ensure the CA user owns all files.

sudo chown -R step:step /etc/step-ca

8. Store the CA Key Password

Save the password used during step init for unattended startup.

PASSWORD="<YOUR GENERATED KEY>" sudo sh -c 'echo "$PASSWORD" > /etc/step-ca/password.txt'

9. Update Config Paths

Update configuration files to reference /etc/step-ca.

sed -Ei 's|"/[^"]*\.step/[^"]*"|"/etc/step-ca/"|g' /etc/step-ca/config/{defaults.json,ca.json}

10. Create the systemd Service

Create the service unit file.

sudo nano /etc/systemd/system/step-ca.service

Paste the following contents:

``` [Unit] Description=step-ca service Documentation=https://smallstep.com/docs/step-ca Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production After=network-online.target Wants=network-online.target StartLimitIntervalSec=30 StartLimitBurst=3 ConditionFileNotEmpty=/etc/step-ca/config/ca.json ConditionFileNotEmpty=/etc/step-ca/password.txt

[Service] Type=simple User=step Group=step Environment=STEPPATH=/etc/step-ca WorkingDirectory=/etc/step-ca ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt ExecReload=/bin/kill --signal HUP $MAINPID Restart=on-failure RestartSec=5 TimeoutStopSec=30 StartLimitInterval=30 StartLimitBurst=3

AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE SecureBits=keep-caps NoNewPrivileges=yes

ProtectSystem=full ProtectHome=true RestrictNamespaces=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 PrivateTmp=true PrivateDevices=true ProtectClock=true ProtectControlGroups=true ProtectKernelTunables=true ProtectKernelLogs=true ProtectKernelModules=true LockPersonality=true RestrictSUIDSGID=true RemoveIPC=true RestrictRealtime=true SystemCallFilter=@system-service SystemCallArchitectures=native MemoryDenyWriteExecute=true ReadWriteDirectories=/etc/step-ca/db

[Install] WantedBy=multi-user.target ```

PASSWORD=Y1JSdt7loHU1yUdPSf7tO0BcIVzysUtE sudo echo $PASSWORD > /etc/step-ca/password.txt

11. Enable and Start the CA Service

Reload systemd, start the service, and verify status.

sudo systemctl daemon-reload sudo systemctl enable step-ca --now sudo systemctl status step-ca

Quick Deploy

```

choco install hugo-extended-withdeploy hugo new site christophernanna-me cd christophernanna-me hugo server

```

Gemini-cli requires > v20. Grab the URI to the latest release from https://deb.nodesource.com.

Download and run the script to add the NodeJS PPA.

bash curl -fsSL https://deb.nodesource.com/<version>.x | sudo bash -

Install NodeJS

bash sudo apt-get install -y nodejs

Verify Installation

node -v

Prior to requesting a new certificate, the requesting client needs to have step-cli installed and the root certificate imported.

1. On the CA server, run the following command to obtain the fingerprint.

bash step certificate fingerprint /etc/step-ca/certs/root_ca.crt

1. On the client, import the root certificate

bash step ca bootstrap --ca-url https://<FQDN> --fingerprint <FINGERPRINT>

1. Run the certificate request

bash step ca certificate --ca-url https://<CA_FQDN> <REQUEST_FQDN>.crt <REQUEST_FQDN>.key --san <REQUEST_SAN_HOST> --san <REQUEST_SAN_DOMAIN>