I think VyOS would benefit from having some form of PKI configuration included, also where the certificates and keys are written directly into the config to allow for portability (somewhat like `crypto pki` in cisco).
I have been experimenting and was thinking of something like:
set pki ca <ca-name> certificate <cert_data>
set pki ca <ca-name> private key <key_data>
set pki ca <ca-name> private passphrase 'abcdef'
set pki ca <ca-name> private type 'rsa'
set pki certificate [name] ... <same as CA tag node>
generate pki ca <name> [install] # Generates a CA certificate and private key
generate pki certificate <name> [install] # Generates a private key and certificate request
generate pki certificate <name> self-signed [install] # Generates self-signed certificate
generate pki certificate <name> sign [ca-name] [install] # Generates private key and certificate request, signs with CA at [ca-name]
The `install` optional setting in op-mode could either output lines to enter in conf-mode, or if appropriate could auto-install the generated certs/keys into the running-config.
The goal of this would be for use across the entire configuration. Like how `set vpn rsa-keys` and `set service https` are managing their own certificates/keys, they could instead reference to a central location.
- [ ] EAPOL
- [ ] HTTPS
- [x] IPSec RSA
- [x] IPSec X509
- [ ] L2TP
- [ ] LetsEncrypt
- [ ] OpenConnect
- [ ] OpenVPN
- [ ] SSTP
- [ ] Wireguard