Ca
Notes for running a CA
there are a few options for running a CA
- step-ca and step-cli
- easyrsa (from openvpn, built on top of openssl)
- openssl
In the following text we use example.com as the name of CA and a.example.com as the example client,
who wants to have their certificate signed.
step-ca
i have tried step-ca, which needs step-cli as a client. which was marked as BROKEN,
apperently, it's not broken, but it cant ask for command line interaction, you may pass those
as command line arguments instead (but you might need to guess what they program is trying to ask first,
usually it's either asking for confirmation of overwriting files -f or asking for passwords).
you can manually generate one, which i did, note that step-cli generates ECDSA keys,
Which OpenBSD (at least relayd) dont play well with them.
add a password file in example.com.passwd:
```
$ echo password >> example.com.passwd
```
then generate a root-ca key:
$ step certificate create --password-file=example.com.passwd example.com example.com.crt example.com.key --profile root-ca --kty=RSA
thats for the key which we will use to sign other certificates, next, let's create a key, which we will sign,
for every certficate, you need to do that, we add --no-password --insecure so programs like relayd and httpd
can open the certificate and key without password:
$ step certificate create a.example.com a.example.com.csr a.example.com.key --csr --no-password --insecure
now, you have made the CSR file, you need to send that file to CA, so they can sign it, but we are the CA :)
$ step certificate sign a.example.com.csr example.com.crt example.com.key --password-file=example.com.passwd > e.example.com.crt
viola.