sslfie icon indicating copy to clipboard operation
sslfie copied to clipboard
verified publisher icon mkropat

Local CA?

Open singpolyma opened this issue 10 years ago • 1 comments

Would be nice if instead of self-signed there was an sslfie ca command to make a local CA and then use that for further invocations so all certs are signed with a local-only CA that could be reused.

singpolyma avatar Jul 06 '15 19:07 singpolyma

That would be cool. The main challenge I think would be to find a niche that's not already satisfied by existing tools, specifically:

One simplification that sslfie could offer over the existing tools is to focus on an extremely minimal interface that's geared solely for generating basic, cookie-cutter website certificates.

That said, I think to do the CA concept any justice, we need a few more verbs than just ca. Rather than try to extend the sslfie(1) script, which I think has usefulness in its almost logic-less simplicity, I'd want to create a new script installed alongside sslfie(1) that for lack of a better term I'm calling sslfie-pki(1).

A quick sketch of the verbs that sslfie-pki(1) could offer:

  • sslfie-pki [-o CA_CRT_PATH] [-k CA_KEY_PATH] ca — export CA certificate+key (to stdout by default)
    • any command that references the CA cert, would first automatically generate a CA cert+key if it didn't exist
    • the CA cert+key would be stored in a user dotfile such as ~/.sslfie-ca (path overridable with an option)
  • sslfie-pki export — alias of sslfie-pki ca
  • sslfie-pki import — import a CA certificate+key and save to ~/.sslfie-ca
    • to make restoring from backup easy (or copying to another machine)
    • require -f flag if file already exists
  • sslfie-pki [-o CRT_PATH] [-k KEY_PATH] cert DOMAIN [DOMAIN2]... — generate a new website cert+key just like sslfie(1), but sign with the CA key
    • would need to support prompting for a password, so the user can encrypt the CA key if they want
  • sslfie-pki [-o CSR_PATH] [-k KEY_PATH] req DOMAIN [DOMAIN2]... — generate a certificate request
    • so the CA machine doesn't need to know the cert key, like a real PKI
    • only intended for use with sslfie-pki sign
  • sslfie-pki [-o CRT_PATH] sign CSR_PATH — generate a certificate from a certificate request

Feedback on my interface proposal is welcome. If people think it would be useful, I could try to make it happen.

mkropat avatar Jul 06 '15 23:07 mkropat