Support creating multiple certificates from a single private CA

[sgallagher]

There may be times when we want to create several certificates at once (for example for a test-cluster of machines). SSCG should be able to take a configuration file (INI? YAML? JSON?) describing the different subject definitions for these certificates.

[jamescassell]

Would be an awesome feature!

[sgallagher]

@jamescassell I haven't done this yet because I'm wary of sscg getting as complex as the openssl CLI tool, but I'd happily look into it if you have some suggestions on an input format that is fairly approachable.

[jamescassell]

A good workaround with the existing functionality is to just use the SAN list and copy the same key to all the hosts that need it.

[cipherboy]

@sgallagher (I was just looking for this myself now) -- another alternative that might be easier would be up-front generation with a single CA, but multiple target certs. Perhaps using -- as a separator, could you parse arguments given multiple times and generate multiple certs as a result?

$ sscg \
    -- --subject-alt-name='IP:127.0.0.1/255.0.0.0' --cert-file=/path/to/1.pem --cert-key-file=/path/to/1.key \
    -- --subject-alt-name='IP:127.0.0.2/255.0.0.0' --cert-file=/path/to/2.pem --cert-key-file=/path/to/2.key \
    -- --client-file=alex.pem --client-key-file=alex.key --email 'alex@example.com' \
    -- --client-file=bob.pem --client-key-file=bob.key --email 'bob@example.com'

This has the added benefit of CA key destruction by default, rather than having to persist it. CA cert options could only allowed once (to simplify the logic), but otherwise the rest might be fairly doable after restructuring argument parsing? Just an idea :-)

[sgallagher]

That's an interesting suggestion. Definitely would require a significant rework of the argument parser.

I'll look into that in the near future.