As far as I can tell, the TLS Tool does not support signing the CSRs that it can generate. Have I missed something, or is that an option that could be added?
This seems useful to simply separate the node keygen process from the cert signing, without requiring extra steps using e.g. OpenSSL command-line tools; I’m imagining a process where:
- tlstool on a signing server is used to generate CA, intermediate CA and keys
- CA certs copied to cluster nodes
- sgtlstool on each cluster is used to generate node CSR and key
- CSRs retrieved onto signing server, signed with sgtlstool, and returned
This seems to fit with typical best practice for generating TLS artifacts - keys (and keyfile passwords) never leave the target hosts, and the CA key is never exposed on a target host.
sgtlstool -csr ... seems to be intended for sending to an established local CA or public CA service; lacking a suitable service, it would be very convenient (read: easier to convince a DevOps team) to be able to run something like sgtlstool -t $ca_dir --sign-csr $csr_dir -c signing_config.yml without introducing OpenSSL and it’s notorious configuration.
I could do it with OpenSSL, for sure, but then there’s a maintenance load of keeping the openssl config in step with the sgtlstool config.