<div dir="ltr"><div>I just wanted to follow up on this and show off the new version of my self-signed cert/CA tool: <a href="https://github.com/linsomniac/rgca">https://github.com/linsomniac/rgca</a></div><div><br></div><div>It's mean to be a much simpler and intuitive alternative to the openssl CLI, for the use case of generating self-signed certs, but it also has a lot of powerful additions such as:</div><div><br></div><div>- Run a script before/after generating a cert (we use this to vault encrypt and commit the certs to an Ansible repo).</div><div>- Easily generate a new cert based off an existing cert (say, if you wanted to add a SAN to an existing cert, or bump up the expiration date).</div><div>- Settings can be specified on the CLI or in the environment or in config files.</div><div>- Config groups allow easily switching between common settings ("webserver", "developer", etc...)</div><div><br></div><div>I use it regularly at work, because we have several clusters of "internal" machines and services that we secure via TLS but don't want to use the LetsEncrypt process to issue. So it's gotten a fair bit of use. At this point I'm calling it done, though it is missing CSR functions. I'd like to add them, but we don't use them in our workflow at work very often.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jun 11, 2022 at 11:18 AM Sean Reifschneider <<a href="mailto:jafo00@gmail.com">jafo00@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>At work we use self-signed certificates for internal and developer use. I inherited some scripts that wrapped the openssl CLI but weren't supporting new uses like the prevalence of Subject Alternatives Names.</div><div><br></div><div>So I reimagined it and have published what I have so far here: <a href="https://github.com/linsomniac/rgca" target="_blank">https://github.com/linsomniac/rgca</a></div><div><br></div><div>With an appropriate config file, the typical use would be:</div><div><br></div><div> rgca ca new <a href="http://example.com" target="_blank">example.com</a></div><div> rgca cert new <a href="http://user1.example.com" target="_blank">user1.example.com</a></div><div> rgca cert new --san <a href="http://test.example.com" target="_blank">test.example.com</a> --san <a href="http://test2.example.com" target="_blank">test2.example.com</a> <a href="http://user2.example.com" target="_blank">user2.example.com</a></div><div><br></div><div>Basically everything can be configured by settings in (possibly multiple) config files, environment variables, and CLI options. Expected use is that things like the subject values (country, state, locality, email) are set in the config file, so the CLI can be short. Instead of:</div><div><br></div><div> rgca cert new --C US --ST Colorado --L Fort Collins [...]</div><div><br></div><div>It should be compatible with existing CA setups with OpenSSL CLI tools, it writes the "serial" and "index.txt" files.</div><div><br></div><div>Looking for feedback on the direction this is going in.</div><div><br></div><div>Thanks,</div><div>Sean<br></div></div>
</blockquote></div>