That would be cool. The main challenge I think would be to find a niche that's not already satisfied by existing tools, specifically:

One simplification that sslfie could offer over the existing tools is to focus on an extremely minimal interface that's geared solely for generating basic, cookie-cutter website certificates.

That said, I think to do the CA concept any justice, we need a few more verbs than just ca. Rather than try to extend the sslfie(1) script, which I think has usefulness in its almost logic-less simplicity, I'd want to create a new script installed alongside sslfie(1) that for lack of a better term I'm calling sslfie-pki(1).

A quick sketch of the verbs that sslfie-pki(1) could offer:

sslfie-pki [-o CA_CRT_PATH] [-k CA_KEY_PATH] ca — export CA certificate+key (to stdout by default)
- any command that references the CA cert, would first automatically generate a CA cert+key if it didn't exist
- the CA cert+key would be stored in a user dotfile such as ~/.sslfie-ca (path overridable with an option)
sslfie-pki export — alias of sslfie-pki ca
sslfie-pki import — import a CA certificate+key and save to ~/.sslfie-ca
- to make restoring from backup easy (or copying to another machine)
- require -f flag if file already exists
sslfie-pki [-o CRT_PATH] [-k KEY_PATH] cert DOMAIN [DOMAIN2]... — generate a new website cert+key just like sslfie(1), but sign with the CA key
- would need to support prompting for a password, so the user can encrypt the CA key if they want
sslfie-pki [-o CSR_PATH] [-k KEY_PATH] req DOMAIN [DOMAIN2]... — generate a certificate request
- so the CA machine doesn't need to know the cert key, like a real PKI
- only intended for use with sslfie-pki sign
sslfie-pki [-o CRT_PATH] sign CSR_PATH — generate a certificate from a certificate request

Feedback on my interface proposal is welcome. If people think it would be useful, I could try to make it happen.

Local CA? #1

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions