Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local CA? #1

Open
singpolyma opened this issue Jul 6, 2015 · 1 comment
Open

Local CA? #1

singpolyma opened this issue Jul 6, 2015 · 1 comment

Comments

@singpolyma
Copy link

Would be nice if instead of self-signed there was an sslfie ca command to make a local CA and then use that for further invocations so all certs are signed with a local-only CA that could be reused.
@mkropat
Copy link
Owner

mkropat commented Jul 6, 2015

That would be cool. The main challenge I think would be to find a niche that's not already satisfied by existing tools, specifically:

One simplification that sslfie could offer over the existing tools is to focus on an extremely minimal interface that's geared solely for generating basic, cookie-cutter website certificates.

That said, I think to do the CA concept any justice, we need a few more verbs than just ca. Rather than try to extend the sslfie(1) script, which I think has usefulness in its almost logic-less simplicity, I'd want to create a new script installed alongside sslfie(1) that for lack of a better term I'm calling sslfie-pki(1).

A quick sketch of the verbs that sslfie-pki(1) could offer:

  • sslfie-pki [-o CA_CRT_PATH] [-k CA_KEY_PATH] ca — export CA certificate+key (to stdout by default)
    • any command that references the CA cert, would first automatically generate a CA cert+key if it didn't exist
    • the CA cert+key would be stored in a user dotfile such as ~/.sslfie-ca (path overridable with an option)
  • sslfie-pki export — alias of sslfie-pki ca
  • sslfie-pki import — import a CA certificate+key and save to ~/.sslfie-ca
    • to make restoring from backup easy (or copying to another machine)
    • require -f flag if file already exists
  • sslfie-pki [-o CRT_PATH] [-k KEY_PATH] cert DOMAIN [DOMAIN2]... — generate a new website cert+key just like sslfie(1), but sign with the CA key
    • would need to support prompting for a password, so the user can encrypt the CA key if they want
  • sslfie-pki [-o CSR_PATH] [-k KEY_PATH] req DOMAIN [DOMAIN2]... — generate a certificate request
    • so the CA machine doesn't need to know the cert key, like a real PKI
    • only intended for use with sslfie-pki sign
  • sslfie-pki [-o CRT_PATH] sign CSR_PATH — generate a certificate from a certificate request

Feedback on my interface proposal is welcome. If people think it would be useful, I could try to make it happen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@singpolyma @mkropat