This repo contains templates for generating root and intermediate CAs with step-ca and name constraints. Links:

• Motivation
• step-ca name constraints documentation
• A relevant blog post

To generate:

• step-cli certificate create "my-pki root-ca" root-ca.crt root-ca.key --template root.tpl --not-after 87600h
• step-cli certificate create "my-pki intermediate-ca" intermediate-ca.crt intermediate-ca.key --template intermediate.tpl --ca root-ca.crt --ca-key root-ca.key, first you will enter the password to decrypt the root key, then enter a new password for the intermediate key

Notes:

• Performed on ArchLinux, other systems may use step instead of step-cli.
• The quoted strings like "my-pki root-ca" can be whatever you want, this sets the common name or CN= field in the certificates
• You can set an organization or other fields by modifying the template
• The step-ca default (if you used step-cli ca init or step-cli certificate create --profile root-ca) is 10 year expiration (87600 hours) (ref)
• Templates in this repository are based on step-ca defaults (ref)
• If you use step-cli ca init it doesn't set a password on the root CA, it's assumed that one is stored offline, you can also use --no-password --insecure with the command above