zeasypki -- easy PKI
This is helper script for managing X.509 TLS PKI.

ECDSA and EdDSA keypairs are handled with GnuTLS'es certtool.
GOST keypairs are handled with GoGOST'es utilities
(http://www.gogost.cypherpunks.ru).

CA certificates have 10 years validity lifetime.
EE certificates have 365 days one.
EE certificates contain only domain name and optionally a country.

Edit zeasypki to suit your needs and working environment. Probably you want
to change path-variable setting, that points to GoGOST'es built utilities.

* Create CA keypairs:
    $ mkdir mypki && cd mypki
    $ zeasypki ca eddsa eddsa-root.com
    $ zeasypki ca gost gost-root.ru

    $ zeasypki list-ca
    ca/eddsa/eddsa-root.com
    ca/gost/gost-root.ru

    $ print ca/eddsa/eddsa-root.com/*
    cer.pem
    key.pem

* Optionally encrypt them (that also can be done with EE keypairs too):
    $ zeasypki encrypt ca/eddsa/eddsa-root.com
    [age is invoked here]
    $ print ca/eddsa/eddsa-root.com/*
    cer.pem
    key.pem.enc

* Create EE keypairs:
    $ zeasypki new ee/eddsa/eddsa-root.com/some.domain.com

* Renew then EE keypairs:
    $ zeasypki renew ee/eddsa/eddsa-root.com/some.domain.com

* To get DANE SHA256 fingerprint:
    $ zeasypki dane KEY

* To get full PEM-encoded keypair:
    $ zeasypki keypair KEY

* To get remind (https://dianne.skoll.ca/projects/remind/) compatible
  calendar of certificates expiration times:
    $ zeasypki rem