Im using certbot with dns challenge (cloudflare api token) to renew letsencrypt cert for my nginx proxy. I want also to create CA cert to sign longterm certs for upstream servers/services and set nginx to trust CA cert. Longterm because of no possibility to automate renewal for those devices/services. Will stepCA have any use for me or just use openssl?
You must log in or register to comment.
Oh no step-ca what are you doing?
Sorry i had to do this
Joking aside I recommend setting up internal CA with easyrsa project from OpenVPN github repository
ADCS here but I understand that might not be an option for you
I use XCA for internal CA setups https://hohnstaedt.de/xca
XCA can also be used to create a standalone CSR (certificate-signing request) if you don’t want to deal with openssl.
I’ve been using step-ca for about 3 years in my lab, it’s great, especially for services that support ACME (Proxmox, Caddy, etc.).
The power of step-ca is that it supports lots of protocols for automation keys/certificates issuing, renewing, or rekeying.
You’ll still most probably want to use OpenSSL to generate your chain. step-ca seems to be unnecessary work/step for your case.
By the way, the only “service” in my setup that doesn’t support TLS automation is my remote UPS management card. Even though I think I might be able to hack it. 😁 The rest is perfectly automatable. 🙂
So far youre the only one who fully read/understood my question. The rest mostly just recommend what they use. Which is also fine, yet these not answer the issue. Thank you!