jamescassell
commented
5 years ago Would be an awesome feature!
Open sgallagher opened 7 years ago
jamescassell
commented
5 years ago Would be an awesome feature!
sgallagher
commented
5 years ago @jamescassell I haven't done this yet because I'm wary of sscg getting as complex as the openssl CLI tool, but I'd happily look into it if you have some suggestions on an input format that is fairly approachable.
jamescassell
commented
5 years ago A good workaround with the existing functionality is to just use the SAN list and copy the same key to all the hosts that need it.
cipherboy
commented
2 years ago @sgallagher (I was just looking for this myself now) -- another alternative that might be easier would be up-front generation with a single CA, but multiple target certs. Perhaps using -- as a separator, could you parse arguments given multiple times and generate multiple certs as a result?
$ sscg \
-- --subject-alt-name='IP:127.0.0.1/255.0.0.0' --cert-file=/path/to/1.pem --cert-key-file=/path/to/1.key \
-- --subject-alt-name='IP:127.0.0.2/255.0.0.0' --cert-file=/path/to/2.pem --cert-key-file=/path/to/2.key \
-- --client-file=alex.pem --client-key-file=alex.key --email 'alex@example.com' \
-- --client-file=bob.pem --client-key-file=bob.key --email 'bob@example.com'This has the added benefit of CA key destruction by default, rather than having to persist it. CA cert options could only allowed once (to simplify the logic), but otherwise the rest might be fairly doable after restructuring argument parsing? Just an idea :-)
sgallagher
commented
2 years ago That's an interesting suggestion. Definitely would require a significant rework of the argument parser.
I'll look into that in the near future.
There may be times when we want to create several certificates at once (for example for a test-cluster of machines). SSCG should be able to take a configuration file (INI? YAML? JSON?) describing the different subject definitions for these certificates.