Certificate generation support in azd?

[ronaldbosma]

I'm curious whether there is a broader need for certificate generation support in azd, possibly via an extension.

I'm currently working on a template for different mTLS scenarios in combination with API Management. As part of that, I needed a (self-signed) certificate hierarchy including a Root CA, Intermediate CA(s) and client certificates.

Initially I considered generating everything through Azure Key Vault, but Key Vault only supports generating 'leaf' certificates and not CA certificates, which makes it difficult to create a complete trust chain.

At the moment I have a PowerShell script that generates the certificate tree, but that limits the experience to Windows users. OpenSSL is another option, but it introduces an external dependency that template users would need to install themselves.

This made me wonder whether an azd extension for certificate generation could make sense as a more native and cross-platform solution. Something that could generate certificate hierarchies for development/testing scenarios directly from azd.

I'm interested to hear whether others have run into similar challenges or have related use cases.

[vhvb1989]

I would like your POV here @heaths - Did you have a tool to use KeyVault for certs?

I have used https://github.com/acmesh-official/acme.sh in the past for my own experiments (when it comes to self-signed). I do believe it would be a good extension

[heaths]

See https://github.com/heaths/akv-cli-rs. I support certificate generation there with similar defaults to az. It's rust but could be adapted to Go fairly easily. In fact, I think you already have everything you need for what few crypto primitives are needed in Go's standard library (unlike Rust that has almost nothing in std).