Update aegis generate command to use openssl.

I like step-ca and it's defaults, but as far as I can figure from the arguments, configuration, and documentation there is no way to tell it to give me a much longer-lived certificate. 10 years. That's it. It's a reasonable default for a server, but not for a human being. Instead, we'll do 200 years. Revisit this when the Transhumanists take over.
2023-11-06 10:23:57 -07:00 · 2023-11-06 10:23:57 -07:00 · 47c40d0ca2
parent 7a64ec773a
commit 47c40d0ca2
1 changed files with 10 additions and 4 deletions
--- a/gongor/aegis.py
+++ b/gongor/aegis.py
@ -1,13 +1,19 @@
 import subprocess

+MAX_HUMAN_AGE = 365 * 200
 def generate():
 	print("Please name this aegis. You can call it anything. Frequently people use their legal name.")
 	name = input("Name? ")
 	print("Generating aegis.")
 	subprocess.run([
-		"step", "ca", "init",
-		"--pki",
-		"--deployment-type=standalone",
-		"--name", name,
+		"openssl", "req", # PKCS#10 certificate generation utility
+		"-new", # Generate a new certificate
+		"-newkey", "ec", # Generate a new private key using elliptic-curve (ECDSA or ECDH compatible)
+		"-pkeyopt", "ec_paramgen_curve:prime256v1", # Use the prime256v1 CE curve from NIST (P-256)
+		"-x509", # Create a self-signed certificate instead of a certificate request.
+		"-days", str(MAX_HUMAN_AGE), # Set the validity period to the expected max age of a human
+		"-subj", f"/CN={name}", # Add the common name for the persona tied to this aegis
+		"-out", "cert.pem", # Generate a self-signed certificate file with a .pem extension
+		"-keyout", "key.pem", # Generate an encrypted private key file with a .pem extension
 		],
 		check=True,)