Yesterday I got stuck on building a reasonable structure for an intermediate CA. Traditional structures in my sphere for CAs have been:

  • Root with an expiry in ~10 years.
  • Services intermediate expiring in ~5 years. This is intended to sign the services certificates which will expire every year. This certificate should be replaced every two to three years.
  • Client intermediate expiring in ~5 years. Arguably these should be short lived based on the target environments.

For the services certificates I would like to deploy them to a Vault instance for the target environment. This allow for rapid issuance of the certificates. I’ll worry about core OSCP after I prove I can get this arc done.

Example repository

Looking at Certificate Authority with CFSSL by Johannes Tegnér looks promising and repeatable. Building off Johannes Tegnér work let us see if we can create a repository to create a reusable script to build my standard PKI setup.

Apparently the NodeJS setups I have do not support ECDSA for clients and servers.

I have posted the example.