Update aegis generate command to use openssl.
I like step-ca and it's defaults, but as far as I can figure from the arguments, configuration, and documentation there is no way to tell it to give me a much longer-lived certificate. 10 years. That's it. It's a reasonable default for a server, but not for a human being. Instead, we'll do 200 years. Revisit this when the Transhumanists take over.
This commit is contained in:
parent
7a64ec773a
commit
47c40d0ca2
|
|
@ -1,13 +1,19 @@
|
||||||
import subprocess
|
import subprocess
|
||||||
|
|
||||||
|
MAX_HUMAN_AGE = 365 * 200
|
||||||
def generate():
|
def generate():
|
||||||
print("Please name this aegis. You can call it anything. Frequently people use their legal name.")
|
print("Please name this aegis. You can call it anything. Frequently people use their legal name.")
|
||||||
name = input("Name? ")
|
name = input("Name? ")
|
||||||
print("Generating aegis.")
|
print("Generating aegis.")
|
||||||
subprocess.run([
|
subprocess.run([
|
||||||
"step", "ca", "init",
|
"openssl", "req", # PKCS#10 certificate generation utility
|
||||||
"--pki",
|
"-new", # Generate a new certificate
|
||||||
"--deployment-type=standalone",
|
"-newkey", "ec", # Generate a new private key using elliptic-curve (ECDSA or ECDH compatible)
|
||||||
"--name", name,
|
"-pkeyopt", "ec_paramgen_curve:prime256v1", # Use the prime256v1 CE curve from NIST (P-256)
|
||||||
|
"-x509", # Create a self-signed certificate instead of a certificate request.
|
||||||
|
"-days", str(MAX_HUMAN_AGE), # Set the validity period to the expected max age of a human
|
||||||
|
"-subj", f"/CN={name}", # Add the common name for the persona tied to this aegis
|
||||||
|
"-out", "cert.pem", # Generate a self-signed certificate file with a .pem extension
|
||||||
|
"-keyout", "key.pem", # Generate an encrypted private key file with a .pem extension
|
||||||
],
|
],
|
||||||
check=True,)
|
check=True,)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue