JakeHillion/nixos
1
0
Fork 0
Code Issues 10 Pull Requests 6 Actions 1 Packages Projects Releases Wiki Activity
6cc70e117d
nixos/modules/ca
History
Jake Hillion db5dc5aee6
All checks were successful
flake / flake (push) Successful in 1m14s
Details
step-ca: enable server on sodium and load root certs
2024-08-01 23:28:22 +01:00
..
cert.pem step-ca: enable server on sodium and load root certs 2024-08-01 23:28:22 +01:00
consumer.nix step-ca: enable server on sodium and load root certs 2024-08-01 23:28:22 +01:00
default.nix step-ca: enable server on sodium and load root certs 2024-08-01 23:28:22 +01:00
README.md step-ca: enable server on sodium and load root certs 2024-08-01 23:28:22 +01:00
service.nix step-ca: enable server on sodium and load root certs 2024-08-01 23:28:22 +01:00

README.md

ca

Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.

Creating a 10 year root certificate:

nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h

Creating the intermediate key:

nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem