Do I need smallstep-ca or just smallstep-cli

[callahan22]

I've finally decided to do something about the huge number of internal sites and devices that use self signed certs. I'm looking for a simple CA that I can pass CSRs to, get them signed, grab the cert and install. I've used a combo of OpenSSL for generating CSRs and Windows CA Server to sign them for years through work so just looking for a simpler setup for home.
I assumed I needed smallstep-ca which I plan to run via docker so thats set up and running as per the below. * I realise we're not supposed to be setting passwords as env variables. I'm jut trying to get it working for now.

  smallstep-ca:
    container_name: smallstep-ca
    image: smallstep/step-ca:latest
    restart: unless-stopped
    volumes:
      - ./smallstep-ca:/home/step
    ports:
      - "9000:9000"
    environment:
      - "DOCKER_STEPCA_INIT_NAME=Smallstep"
      - "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)"
      - "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true"
      - "DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin"
      - "DOCKER_STEPCA_INIT_PASSWORD=a5h19YG4PdY_2uq!7-k"

Then I've read here that smallstep-ca is not required to run a CA: https://smallstep.com/docs/step-cli/#introduction-to-step

Examples that don't require step-ca
Create and work with X.509 certificates](https://smallstep.com/docs/step-cli/basic-crypto-operations/#create-and-work-with-x509-certificates)

https://smallstep.com/docs/step-cli/basic-crypto-operations/#create-a-certificate-authority
You can use it to create certificate signing requests (CSRs), sign CSRs, create self-signed certificates (e.g., a root certificate authority), create leaf or intermediate CA certificates, validate and inspect certificates, renew certificates, generate certificate bundles, and to key-wrap private keys.

So the first question I have is which should I be running? Experience tells me that I will definitely need a CA as that's how I've worked for years.

Second question is, assuming I'm going the CA Server route via docker, once i have it running, how do I submit a CSR for signing? I'm finding mixed resources and none of them seem to offer a simple set of steps to submit a CSR and get the resulting certificate.

Thanks for any advice you can offer!

[callahan22]

Ended up following the guide here: https://blog.xentoo.info/2021/09/12/running-a-pki-using-smallstep-certificates-with-docker

Am getting an error that I cannot trace down though when trying to issue a cert for a host:

error="error applying certificate template: invalid character '&' looking for beginning of value at offset 377"

If anyone can decipher the above, I'd be happy to get some pointers.

[tashian]

The step CLI tool can be used to run a local, offline CA. That's great if you just need to issue a certificate manually every once in a while. But, given that you have a "huge number of internal sites and devices" that need certificates, a step-ca server is likely your best bet.

once i have it running, how do I submit a CSR for signing?

Clients can get certificate by running the step ca sign command. See Sign a Certificate Signing Request (CSR).

Or you can do the entire operation — generate and sign a CSR all at once — using the step ca certificate command.

We designed step-ca for automation. So, down the road, instead of manually signing each CSR, you could add an ACME provisioner to your CA, and your internal websites and devices can get certificates on their own from your CA, using ACME or another of our certificate provisioner types.

Hope this helps!