Support --kty option in the step ca init command

[CMCDragonkai]

What would you like to be added

There are lots of clients/servers that don't yet support ECDSA. I need a way to use RSA keys instead. There's the --kty option for step ca certificate, but not for step ca init?

[odedpriva]

@dopey, I will give it a try, any pointers ?

[dopey]

Let me preface this by saying that this may actually be a more challenging issue because it may need some design. Basically, we create a whole handful of keys on step ca init. Should the kty flag apply to all those keys? Only the x509 ones? Only the SSH ones.

I'll leave some notes below, but this may not be the easiest issue to start with.

---

Take a look at how the kty flag is used in a few other commands (here's one example https://github.com/smallstep/cli/blob/6b23538520fc8c720b067bec2fb7fe630f8825f4/command/certificate/create.go, and here's the definition of the flag

cli/flags/flags.go

Lines 20 to 37 in 6b23538

	// KTY is the flag to set the key type.
	KTY = cli.StringFlag{
	Name: "kty",
	Value: "EC",
	Usage: `The <kty> to build the certificate upon.
	If unset, default is EC.
	: <kty> is a case-sensitive string and must be one of:
	**EC**
	: Create an **elliptic curve** keypair
	**OKP**
	: Create an octet key pair (for **"Ed25519"** curve)
	**RSA**
	: Create an **RSA** keypair`,
	}

).

Down here (

cli/command/certificate/create.go

Lines 662 to 669 in 6b23538

	kty, crv, size, err := utils.GetKeyDetailsFromCLI(ctx, ctx.Bool("insecure"), "kty", "curve", "size")
	if err != nil {
	return nil, nil, err
	}
	pub, priv, err := keys.GenerateKeyPair(kty, crv, size)
	if err != nil {
	return nil, nil, err
	}

) we use that flag to generate a new key pair. In the step ca init command (https://github.com/smallstep/cli/blob/6b23538520fc8c720b067bec2fb7fe630f8825f4/command/ca/init.go) we'll want to do the same thing. Instead of using default values for the key type and size.

I think the actual code changes will need to be made in the certficiates repo, unfortunately. https://github.com/smallstep/certificates/blob/master/pki/pki.go#L506 -- anywhere CreateKey is called.