Easy private certificate management for VMs on AWS, GCP, and Azure

The idea and functionality looks good. Some quick friendly feedback:<p>For production I would want to run this in Docker in some sort of a portable fashion.<p>Looking at the documentation it seems that you have to manually enter the password when you start up step-ca. That&#x27;s not really going to work for automated setups. You need to be able to inject secrets from environment variables, or these days, Kubernetes secrets.<p>There&#x27;s also the issue of backing up your CA secrets, e.g. if your step-ca process dies and you want to restart it somewhere else. That may be out of scope for step-ca though and handled through some other process, which is fine.<p>Might be good to add some documentation on how to set this up in a high availability fashion so it is not a single point of failure.<p>I do like the relative simplicity of this compared to all the other CA solutions out there. Good luck and thanks for the work.

I feel like the lack of &quot;audience&quot; field (or equivalent) in AWS IID makes them bit less attractive for authentication than GCP&#x2F;Azure ones. For example here step-ca could impersonate (if compromised) the client instance to any other services that were to use IID for auth (or vise versa).

This is very similar to [CFSSL](<a href="https:&#x2F;&#x2F;cfssl.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cfssl.org&#x2F;</a>), any specific reasons to use this over Cloudflare&#x27;s PKI?

This is very neat stuff and I&#x27;d actually be interested in talking to you more about where you see it going in the future, because it&#x27;s extremely closely related to some stuff I&#x27;ve worked on. One clarification:<p>Am I understanding it correctly that step-ca can be configured to either 1) hand out certs for <i>any</i> CN or 2) only hand out certs for the machine&#x27;s FQDN according to the instance metadata? In essence, the &quot;any CN&quot; mode is only useful for knowing that this instance is one of your own (but exactly which one is totally on the honor system), and the &quot;FQDN only&quot; mode is useful if you use your cloud provider&#x27;s FQDNs for your hosts. Do I have that correct?

I&#x27;ve used XCA [1] before for managing my personal CA and PKI certs for things. I simply then share my root CA out to my necessary end points and handle things from there.<p>[1] <a href="https:&#x2F;&#x2F;hohnstaedt.de&#x2F;xca&#x2F;" rel="nofollow">https:&#x2F;&#x2F;hohnstaedt.de&#x2F;xca&#x2F;</a>

What&#x27;s the advantage of this over some scripts like <a href="https:&#x2F;&#x2F;github.com&#x2F;tomberek&#x2F;easy-ca" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;tomberek&#x2F;easy-ca</a>?