blob: 5055a78aabe1cd0ab8362316fae6c0f00dcf75f3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
{ pkgs }:
pkgs.writers.writeDashBin "generate-intermediate-ca" ''
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR;" INT TERM EXIT
mkdir -p "$TMPDIR/krebs"
brain show ca/ca.key > "$TMPDIR/krebs/ca.key"
brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt"
export STEPPATH="$TMPDIR/step"
cat << EOF > "$TMPDIR/intermediate.tpl"
{
"subject": {{ toJson .Subject }},
"keyUsage": ["certSign", "crlSign"],
"basicConstraints": {
"isCA": true,
"maxPathLen": 0
},
"nameConstraints": {
"critical": true,
"permittedDNSDomains": ["r" ,"w"]
}
}
EOF
${pkgs.step-cli}/bin/step certificate create "Krebs ACME CA" intermediate_ca.crt intermediate_ca.key \
--template "$TMPDIR/intermediate.tpl" \
--not-after 8760h \
--ca "$TMPDIR/krebs/ca.crt" \
--ca-key "$TMPDIR/krebs/ca.key" \
--no-password --insecure
''
|