Feedback on a Self-signed SSL CA?

Sean Reifschneider jafo00 at gmail.com
Sat Oct 1 00:18:20 MDT 2022


I just wanted to follow up on this and show off the new version of my
self-signed cert/CA tool: https://github.com/linsomniac/rgca

It's mean to be a much simpler and intuitive alternative to the openssl
CLI, for the use case of generating self-signed certs, but it also has a
lot of powerful additions such as:

- Run a script before/after generating a cert (we use this to vault encrypt
and commit the certs to an Ansible repo).
- Easily generate a new cert based off an existing cert (say, if you wanted
to add a SAN to an existing cert, or bump up the expiration date).
- Settings can be specified on the CLI or in the environment or in config
files.
- Config groups allow easily switching between common settings
("webserver", "developer", etc...)

I use it regularly at work, because we have several clusters of "internal"
machines and services that we secure via TLS but don't want to use the
LetsEncrypt process to issue.  So it's gotten a fair bit of use.  At this
point I'm calling it done, though it is missing CSR functions.  I'd like to
add them, but we don't use them in our workflow at work very often.

On Sat, Jun 11, 2022 at 11:18 AM Sean Reifschneider <jafo00 at gmail.com>
wrote:

> At work we use self-signed certificates for internal and developer use.  I
> inherited some scripts that wrapped the openssl CLI but weren't supporting
> new uses like the prevalence of Subject Alternatives Names.
>
> So I reimagined it and have published what I have so far here:
> https://github.com/linsomniac/rgca
>
> With an appropriate config file, the typical use would be:
>
>     rgca ca new example.com
>     rgca cert new user1.example.com
>     rgca cert new --san test.example.com --san test2.example.com
> user2.example.com
>
> Basically everything can be configured by settings in (possibly multiple)
> config files, environment variables, and CLI options.  Expected use is that
> things like the subject values (country, state, locality, email) are set in
> the config file, so the CLI can be short.  Instead of:
>
>     rgca cert new --C US --ST Colorado --L Fort Collins [...]
>
> It should be compatible with existing CA setups with OpenSSL CLI tools, it
> writes the "serial" and "index.txt" files.
>
> Looking for feedback on the direction this is going in.
>
> Thanks,
> Sean
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nclug.org/pipermail/nclug/attachments/20221001/1faf9d50/attachment.htm>


More information about the NCLUG mailing list