From 47c40d0ca2ad84a71778aa578591909787d6c4ea Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Mon, 6 Nov 2023 10:23:57 -0700 Subject: [PATCH] Update aegis generate command to use openssl. I like step-ca and it's defaults, but as far as I can figure from the arguments, configuration, and documentation there is no way to tell it to give me a much longer-lived certificate. 10 years. That's it. It's a reasonable default for a server, but not for a human being. Instead, we'll do 200 years. Revisit this when the Transhumanists take over. --- gongor/aegis.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/gongor/aegis.py b/gongor/aegis.py index 3703f85..c571c4d 100644 --- a/gongor/aegis.py +++ b/gongor/aegis.py @@ -1,13 +1,19 @@ import subprocess +MAX_HUMAN_AGE = 365 * 200 def generate(): print("Please name this aegis. You can call it anything. Frequently people use their legal name.") name = input("Name? ") print("Generating aegis.") subprocess.run([ - "step", "ca", "init", - "--pki", - "--deployment-type=standalone", - "--name", name, + "openssl", "req", # PKCS#10 certificate generation utility + "-new", # Generate a new certificate + "-newkey", "ec", # Generate a new private key using elliptic-curve (ECDSA or ECDH compatible) + "-pkeyopt", "ec_paramgen_curve:prime256v1", # Use the prime256v1 CE curve from NIST (P-256) + "-x509", # Create a self-signed certificate instead of a certificate request. + "-days", str(MAX_HUMAN_AGE), # Set the validity period to the expected max age of a human + "-subj", f"/CN={name}", # Add the common name for the persona tied to this aegis + "-out", "cert.pem", # Generate a self-signed certificate file with a .pem extension + "-keyout", "key.pem", # Generate an encrypted private key file with a .pem extension ], check=True,)