# ============================================================================= # igcv3.conf.yml - Configuration & Presets # ============================================================================= # ----------------------------------------------------------------------------- # 1. Logging & Debugging # ----------------------------------------------------------------------------- logging: level: 'info' # Options: debug, info, warn, error, silent showIcons: true # Show emojis (e.g., πŸ“„, βœ…) showTimestamp: false # Show timestamp timestampFormat: 'yyyy-MM-dd HH:mm:ss' # Date-fns format showPid: false # Show process ID colors: debug: 'magenta' info: 'blue' warn: 'yellow' error: 'red' success: 'green' icons: debug: 'πŸ”Ž' info: 'πŸ“„' warn: '🚨' error: '❌' success: 'βœ…' # ----------------------------------------------------------------------------- # 2. UI/TUI Settings # ----------------------------------------------------------------------------- ui: clearOnBanner: true # Clear terminal when showing banner showBanner: true # Display ASCII banner serialFormat: 'colon' # Options: hex, colon # ----------------------------------------------------------------------------- # 2b. Safety limits # ----------------------------------------------------------------------------- limits: # Maximum allowed size for a single downloaded certificate payload (AIA/HTTP). # 2 MiB is generous for cert bundles while still preventing OOM scenarios. maxCertDownloadBytes: 2097152 # TLS connect timeout (ms) for the initial server certificate fetch. tlsConnectTimeoutMs: 10000 # Maximum number of AIA parent CA downloads when reconstructing a chain. maxChainDepth: 5 # Stop AIA chain reconstruction if the same issuer URL repeats (loop guard). aiaStopOnRepeatedUrl: true # ============================================================================= # 3. PKI Settings (Content) # ============================================================================= pki: interactive: true # If false, fail instead of prompting for missing variables sanitizeName: true # If true, auto-fix CN for DNS (e.g. "My Site" -> "my-site"). If false, fail on invalid chars. mergePresets: true # If false, local config replaces default presets instead of merging. defaults: countryName: 'FR' stateOrProvinceName: 'Ile-de-France' localityName: 'Paris' organizationName: 'My Company' organizationalUnitName: 'IT' validityDays: 365 preset: 'web-standard' # Default preset if none specified # Key generation settings # Supported algorithms: # - rsa : RSA (size: 2048 or 4096) # - ecdsa : ECDSA (curve: P-256, P-384, P-521) # - ed25519 : Ed25519 (no curve needed, fixed params) keys: algo: 'rsa' # Options: rsa, ecdsa, ed25519 size: 2048 # RSA only: 2048 or 4096 # curve: 'P-256' # ECDSA only: P-256, P-384, P-521 encoding: 'pem' # pem, der csr: signature: 'sha256' # sha256, sha384, sha512 encoding: 'pem' # pem, der # ============================================================================= # 4. Storage & Naming (Logistics) # ============================================================================= storage: paths: output: './certs' archive: './archive' # Strict allowlist for output paths (writes outside are rejected) allowedOutputDirs: - './certs' - './pki' - './out' - './tests' # Output filename configuration filename: # Available variables: # - {{COMMON_NAME}} : The CN of the certificate (e.g., mysite.com) # - {{TIMESTAMP}} : Date/Time formatted according to timestampFormat # - {{PRESET}} : Name of the preset used (e.g., web-simple) format: '{{COMMON_NAME}}_{{TIMESTAMP}}' timestampFormat: 'yyyyMMdd_HHmmss' # date-fns format # Conflict handling (Existing files) conflict: strategy: 'archive' # Options: 'archive', 'overwrite', 'error' # Archive renaming format # Available variables: # - {{FILENAME}} : Original filename without extension # - {{EXTENSION}} : Original extension (e.g., .key) # - {{TIMESTAMP}} : Archive timestamp archiveFormat: '{{FILENAME}}{{EXTENSION}}.{{TIMESTAMP}}.bak' # ----------------------------------------------------------------------------- # 5. Presets (Certificate Templates) # ----------------------------------------------------------------------------- presets: # --- 1. Standard Web Server (New Deployment) --- web-standard: description: 'Standard Web Server (1 Year, New Key)' validityDays: 365 organizationalUnitName: 'Web Services' subjectAltName: templates: - 'DNS:{{COMMON_NAME}}' - 'DNS:www.{{COMMON_NAME}}' # --- 2. Modern Web Server (ECDSA P-256) --- web-modern: description: 'Modern Web Server (ECDSA P-256, 1 Year)' validityDays: 365 organizationalUnitName: 'Web Services' keys: algo: 'ecdsa' curve: 'P-256' subjectAltName: templates: - 'DNS:{{COMMON_NAME}}' - 'DNS:www.{{COMMON_NAME}}' # --- 3. Web Server Renewal (Reuse Key) --- web-renewal: description: 'Renew Web Server (Reuse Existing Key)' validityDays: 365 organizationalUnitName: 'Web Services' # Prompt for the key path if not provided via CLI --key variables: key: type: 'input' message: 'Path to existing Private Key' validate: '.+' subjectAltName: templates: - 'DNS:{{COMMON_NAME}}' - 'DNS:www.{{COMMON_NAME}}' # --- 4. Internal Service (mTLS, Short Lived) --- internal-service: description: 'Internal Service (mTLS, 90 Days)' validityDays: 90 organizationalUnitName: 'Internal Infrastructure' extensions: serverAuth: true clientAuth: true subjectAltName: templates: - 'DNS:{{COMMON_NAME}}' - 'DNS:{{COMMON_NAME}}.internal' - 'DNS:localhost' # --- 5. VPN/User Identity (Client Auth Only) --- vpn-user: description: 'User Identity / VPN (Client Auth)' validityDays: 365 organizationalUnitName: 'Remote Access' sanitizeName: false # Allow spaces and accents for user names (e.g. "HΓ©lΓ¨ne DOE") extensions: serverAuth: false clientAuth: true # No SANs by default for users, usually just CN is enough subjectAltName: templates: [] # --- 6. Machine Certificate (Dynamic OU) --- machine: description: 'Machine Certificate' variables: PROJECT: type: 'input' message: 'Project Name' ENV: type: 'list' message: 'Environment' choices: ['DEV', 'INT', 'PROD'] IP_ADDRESS: type: 'input' message: 'IP Address for SAN' # Regex for IPv4 OR IPv6 (simplified) validate: '^((25[0-5]|(2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|(2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|([0-9a-fA-F]{1,4}:){1,7}:|:((:[0-9a-fA-F]{1,4}){1,7}|:)|([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4})$' validityDays: 730 organizationalUnitName: - '00000000000000000000000000000001' - '00000000000000000000000000000002' - '{{PROJECT}}-{{ENV}}' subjectAltName: templates: - 'DNS:{{COMMON_NAME}}' - 'DNS:{{COMMON_NAME}}.private' - 'IP:{{IP_ADDRESS}}'