Im using certbot with dns challenge (cloudflare api token) to renew letsencrypt cert for my nginx proxy. I want also to create CA cert to sign longterm certs for upstream servers/services and set nginx to trust CA cert. Longterm because of no possibility to automate renewal for those devices/services. Will stepCA have any use for me or just use openssl?

  • qfla@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Oh no step-ca what are you doing?

    Sorry i had to do this

    Joking aside I recommend setting up internal CA with easyrsa project from OpenVPN github repository

  • hadrabap@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The power of step-ca is that it supports lots of protocols for automation keys/certificates issuing, renewing, or rekeying.

    You’ll still most probably want to use OpenSSL to generate your chain. step-ca seems to be unnecessary work/step for your case.

    By the way, the only “service” in my setup that doesn’t support TLS automation is my remote UPS management card. Even though I think I might be able to hack it. 😁 The rest is perfectly automatable. 🙂

    • domanpanda@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      So far youre the only one who fully read/understood my question. The rest mostly just recommend what they use. Which is also fine, yet these not answer the issue. Thank you!

  • Tecchie088@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’ve been using step-ca for about 3 years in my lab, it’s great, especially for services that support ACME (Proxmox, Caddy, etc.).