That's not the route I've taken.
This is for having each of your container "talking" directly and individually with step.
I use Traefik which "talks" with step and generate the certificates for each containers.
I'm sorry I can't really help you there.
Feel free to ask me if you want more info with how to use it with Traefik.
I used to used openssl but I switched to Step for this purpose :
https://smallstep.com/certificates/
It runs in docker, certificates generation is easy and the cherry on top: it can be used with Acme clients. All my internal services use it via traefik, new certificates are generated with no intervention whatsoever from my parts.