I think VyOS would benefit from having some form of PKI configuration included, also where the certificates and keys are written directly into the config to allow for portability (somewhat like crypto pki in cisco).
I have been experimenting and was thinking of something like:
Conf mode:
set pki ca <ca-name> certificate <cert_data> set pki ca <ca-name> private key <key_data> set pki ca <ca-name> private passphrase 'abcdef' set pki ca <ca-name> private type 'rsa' set pki certificate [name] ... <same as CA tag node>
Op mode:
generate pki ca <name> [install] # Generates a CA certificate and private key generate pki certificate <name> [install] # Generates a private key and certificate request generate pki certificate <name> self-signed [install] # Generates self-signed certificate generate pki certificate <name> sign [ca-name] [install] # Generates private key and certificate request, signs with CA at [ca-name]
The install optional setting in op-mode could either output lines to enter in conf-mode, or if appropriate could auto-install the generated certs/keys into the running-config.
The goal of this would be for use across the entire configuration. Like how set vpn rsa-keys and set service https are managing their own certificates/keys, they could instead reference to a central location.
Any thoughts?
Migration checklist:
- EAPOL
- HTTPS
- IPSec RSA
- IPSec X509
- L2TP
- LetsEncrypt
- OpenConnect
- OpenVPN
- SSTP
- Wireguard