Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

changed root CA creation options, added encryption #22

Closed
wants to merge 1 commit into from
Closed

changed root CA creation options, added encryption #22

wants to merge 1 commit into from

Conversation

mrtvfuencxozd
Copy link

Hi Jacob,
Thank you for minica.

Here is a PR somehow "reverting" #18 with the few other changes I mentioned in comments of this PR.

  • added -no-auto flag to prevent automatic issuer creation
  • added -root-ca-only flag to only create an issuer

The other changes are :

  • added -encrypt-ca-key flag to encrypt root CA's private key (Encrypt CA key with password #2)
    to allow automated use, when required (creation/use of key),
    password can be provided by environment (MINICA_KEY_PASSWORD).
    If it is not, it will be asked to user.
    Note that this adds a dependency to "golang.org/x/crypto"
    this is for ssh/terminal, to not display typed password

Also, as you stated in #14 that you wanted to keep things "radically simple", and while still wanting to help find where a certificate comes from, I've added a simple CN customization option.

  • added -ca-name flag to customize issuer CN for easier identification
    this replaces "minica" by a custom string in "minica root ca 3f3732"

  • added/modified some error checking.

  • modified README/Usage accordingly.

As I needed these changes, I hope you'll find them worth the merge.

@mrtvfuencxozd
changed root CA creation options, added encryption
d8bf361 
- added -no-auto flag to prevent automatic issuer creation
- added -root-ca-only flag to only create an issuer
- added -ca-name flag to customize issuer CN for easier identification
    this replaces "minica" by a custom string in "minica root ca 3f3732"
- added -encrypt-ca-key flag to encrypt root CA's private key
    to allow automated use, when required (creation/use of key),
     password can be provided by environment (MINICA_KEY_PASSWORD).
    If it is not, it will be asked to user.

- added/modified some error checking.
- modified README/Usage accordingly.
@mrtvfuencxozd
Copy link
Author

Hi Jacob,
any remark ?

@jsha
Copy link
Owner

jsha commented Nov 12, 2019

Hi @mtrvfuencxozd! Thanks for your patience. Most of these changes, I don't want to incorporate into minica.

For the encrypted root CA private key: I think this use case can be better solved with an encrypted filesystem containing the private key.

For -root-ca-only and -ca-name, I think you can solve these by "bringing your own root," that is, by generating a root with some other software (like OpenSSL) and naming it minica.pem and minica-key.pem. I like this approach better because it reduces the need to add additional flags to minica.

For -no-auto, I can see the use, and would accept it (though I'd like to call it -no-create-root or something).

I'm going to close this PR for now; if you would like to create another one that implements -no-create-root I will take a look. Otherwise, I may implement it myself at some point.

@jsha jsha closed this Nov 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mrtvfuencxozd @jsha