Add flag --bupem to make a bottom-up PEM #1864
Conversation
|
Any review for this? |
Outputs also a 'bottom-up' PEM (.bupem) file containing, in this order: Private .key Public .crt Issuer .crt Saves a manual `cat` step to build such a file. Useful for e.g. Postfix (+ >=OpenSSL 1.1.1) with its `*_chain_files` options: ``` smtpd_tls_chain_files = /etc/postfix/mail.example.com.rsa4096.bupem, /etc/postfix/mail.example.com.ec256.bupem smtp_tls_chain_files = /etc/postfix/mail.example.com.rsa4096.bupem, /etc/postfix/mail.example.com.ec256.bupem ``` The 'bottom-up' convention expects the private key first.
| @@ -118,6 +118,10 @@ func CreateFlags(defaultPath string) []cli.Flag { | |||
| Usage: "Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name server queries.", | |||
| Value: 10, | |||
| }, | |||
| &cli.BoolFlag{ | |||
| Name: "bupem", | |||
| Usage: "Generate an additional 'bottom-up' .bupem (PEM, base64) file by concatenating the .key, .crt and issuer .crt together, in that order.", | |||
There was a problem hiding this comment.
"PEM, base64" is redundant, as all PEM files encode X.509 DER serialization data as Base64. I'd reword it as:
| Usage: "Generate an additional 'bottom-up' .bupem (PEM, base64) file by concatenating the .key, .crt and issuer .crt together, in that order.", | |
| Usage: "Generate an additional 'bottom-up PEM' file (.bupem) by concatenating the private key, leaf certificate and issuer chain (in that order) into a single file.", |
(I'm not sure on the article in front of "private key": Is it required there, and/or do "leaf certificate" and "issuer chain" also need a "the"?)
There was a problem hiding this comment.
Not strictly necessary - abstract is equally intelligible. First 'the' is acceptable in native English.
There was a problem hiding this comment.
I'm not keen on that name. We should avoid making names up, as this leads to headaches. Searching for "buttom-up PEM" doesn't yield much related results, with one exception: this PR.
Postfix, confusingly, calls this format a "chain file". In terms of certificates, "chain" usually means a list of issuer, intermediate and leaf certificates (in that order, and without private key). I'd advise against using "chain PEM"/.chainpem as alternative.
I also don't have a useful name, at the moment.
Idea for another approach
Maybe the solution is not to provide hard-coded output formats, and instead allow the user to describe the format(s) they need, something akin to this:
lego run ... \
--cert.out bu.pem=pkey,cert,issuerchain \
--cert.out chain.pem=issuerchain,cert \
--cert.out key=pkey
which would yield three files:
domain.bu.pem, containing the file described in this PR,domain.chain.pem, containing an ordinary bundle, anddomain.key, containing just the private key.
(The general syntax being --cert.out <extension>=<token-list>, with predefined tokens like "pkey" for the private key).
|
Having a customizable |
Sure, I'd imagine it more as a general replacement for the |
Outputs also a 'bottom-up' PEM (.bupem) file containing, in this order:
Private .key
Public .crt
Issuer .crt
Saves a manual
catstep to build such a file. Useful for e.g. Postfix (+ >=OpenSSL 1.1.1) with its*_chain_filesoptions:The 'bottom-up' convention expects the private key first.