Feedback on a Self-signed SSL CA?

Sean Reifschneider jafo00 at gmail.com
Thu Jun 16 15:46:14 MDT 2022


easy-rsa is very good for the openvpn use case.    The default setup is all
about creating certs with a CN, but (not really documented except in the
config file) there is a "org mode" where you can provide the other subject
fields (state, city, country, ...).  It doesn't really support doing SANs
at all that I was able to see.  I'm referring here to easy-rsa v3, the
older v2 was dramatically different, might have supported more of this sort
of use.  v3 is really oriented towards openvpn, not surprising from it's
github URL, eh?  :-)

There are a few other options as well:

- HashiCorp Vault can do PKI management
- CloudFlare cfssl (includes an HTTP API server)
- XCA (a Win/Mac desktop app)

On Thu, Jun 16, 2022 at 3:22 PM Stephen Warren <swarren at wwwdotorg.org>
wrote:

> On 6/11/22 11:18, Sean Reifschneider wrote:
> > At work we use self-signed certificates for internal and developer use.
> > I inherited some scripts that wrapped the openssl CLI but weren't
> > supporting new uses like the prevalence of Subject Alternatives Names.
> >
> > So I reimagined it and have published what I have so far here:
> > https://github.com/linsomniac/rgca <https://github.com/linsomniac/rgca>
> ...
> > Looking for feedback on the direction this is going in.
>
> I've always used easy-rsa for this. Does it support your use-case? It's
> possible it would benefit from some wrapper scripts to provide common
> options or make the interface friendlier, and I haven't used SANs with
> it, since I switched to Letsencrypt before needing SANs.
>
> https://github.com/OpenVPN/easy-rsa
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nclug.org/pipermail/nclug/attachments/20220616/21c11656/attachment.htm>


More information about the NCLUG mailing list