add ACME ca via ca.r

author: lassulus <lassulus@lassul.us> 2021-12-09 11:21:06 +0100
committer: lassulus <lassulus@lassul.us> 2021-12-09 11:31:10 +0100
commit: e5fc654f50e2b99bcae186962b29c8754f382f3b (patch)
tree: 9f1237624cc1a6c4ca45a651a4c875c4784d51d7 /krebs/5pkgs
parent: b981c43a97bf254ea15c324d8f82aab368cdf3d0 (diff)
1 files changed, 29 insertions, 0 deletions
diff --git a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix
new file mode 100644
index 00000000..8cec5432
--- /dev/null
+++ b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix
@@ -0,0 +1,29 @@
+{ pkgs }:
+pkgs.writers.writeDashBin "generate-intermediate-ca" ''
+  TMPDIR=$(mktemp -d)
+  trap "rm -rf $TMPDIR;" INT TERM EXIT
+  mkdir -p "$TMPDIR/krebs"
+  brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
+  brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
+  export STEPPATH="$TMPDIR/step"
+  cat << EOF > "$TMPDIR/intermediate.tpl"
+  {
+      "subject": {{ toJson .Subject }},
+      "keyUsage": ["certSign", "crlSign"],
+      "basicConstraints": {
+          "isCA": true,
+          "maxPathLen": 0
+      },
+      "nameConstraints": {
+          "critical": true,
+          "permittedDNSDomains": ["r" ,"w"]
+      }
+  }
+  EOF
+
+  ${pkgs.step-cli}/bin/step certificate create "Krebs ACME CA" intermediate_ca.crt intermediate_ca.key \
+    --template "$TMPDIR/intermediate.tpl" \
+    --ca "$TMPDIR/krebs/ca.crt" \
+    --ca-key "$TMPDIR/krebs/ca.key" \
+    --no-password --insecure
+''
author	lassulus <lassulus@lassul.us>	2021-12-09 11:21:06 +0100
committer	lassulus <lassulus@lassul.us>	2021-12-09 11:31:10 +0100
commit	e5fc654f50e2b99bcae186962b29c8754f382f3b (patch)
tree	9f1237624cc1a6c4ca45a651a4c875c4784d51d7 /krebs/5pkgs
parent	b981c43a97bf254ea15c324d8f82aab368cdf3d0 (diff)