pki: generating CSR through API

[mohammed90]

Some platforms request CSR as part of their process of generating mutually trusted credentials. This PR is to try out the idea of letting Caddy generate the CSRs as a feature of the pki app. The ergonomics are to be discussed.

Test run:

~ $ curl -d '{"sans": ["example.com.app"]}' -H 'Accept: application/pkcs10' http://localhost:2019/pki/ca/local/csr > my.csr

~ $ openssl req -text -noout -verify -in my.csr
Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:09:65:23:b0:be:e4:2a:04:00:1f:34:72:49:a7:
                    6a:73:5b:dc:0e:68:40:57:2d:88:34:6f:57:5f:eb:
                    51:9f:aa:59:b5:28:25:b6:13:3a:b8:c3:16:7f:14:
                    47:16:ad:ac:75:ed:32:cf:88:fe:52:cf:11:91:ef:
                    2b:3a:37:ce:99
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    DNS:example.com.app
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:21:00:e4:8b:b3:ca:bf:35:26:04:47:85:ec:ee:05:
        65:1c:16:05:93:17:09:fe:69:41:34:5f:76:cf:66:af:c3:4b:
        f2:02:20:74:24:a0:7d:60:6b:d7:9b:8a:fb:ea:97:55:22:c3:
        d1:50:b2:e5:a9:88:9e:e1:e0:27:3f:67:31:44:d5:08:d6

~ $ cat my.csr
-----BEGIN CERTIFICATE REQUEST-----
MIHoMIGPAgEAMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJZSOwvuQqBAAf
NHJJp2pzW9wOaEBXLYg0b1df61Gfqlm1KCW2Ezq4wxZ/FEcWrax17TLPiP5SzxGR
7ys6N86ZoC0wKwYJKoZIhvcNAQkOMR4wHDAaBgNVHREEEzARgg9leGFtcGxlLmNv
bS5hcHAwCgYIKoZIzj0EAwIDSAAwRQIhAOSLs8q/NSYER4Xs7gVlHBYFkxcJ/mlB
NF92z2avw0vyAiB0JKB9YGvXm4r76pdVIsPRULLlqYie4eAnP2cxRNUI1g==
-----END CERTIFICATE REQUEST-----

P.S.: The PR is currently a draft until the code is cleaned up and tests are added

[mohammed90]

On a second thought, we probably should offer the option of which private key to use: root, intermediate, or dedicated.

[mholt]

Ohh I really like where this is going! Will take a look after the weekend :)

[mholt]

I like where this is going! I don't have any strong suggestions right now. I think I wouldn't do much differently.

[mohammed90]

we probably should offer the option of which private key to use: root, intermediate, or dedicated.

I still have not addressed this because I don't know the best design for the payload to accommodate this. Ideas are welcome.

[mholt]

Maybe it could be a query string parameter?