Support --kty option in the step ca init command

[CMCDragonkai]

What would you like to be added

There are lots of clients/servers that don't yet support ECDSA. I need a way to use RSA keys instead. There's the --kty option for step ca certificate, but not for step ca init?

[odedpriva]

@dopey, I will give it a try, any pointers ?

[dopey]

Let me preface this by saying that this may actually be a more challenging issue because it may need some design. Basically, we create a whole handful of keys on step ca init. Should the kty flag apply to all those keys? Only the x509 ones? Only the SSH ones.

I'll leave some notes below, but this may not be the easiest issue to start with.

---

Take a look at how the kty flag is used in a few other commands (here's one example https://github.com/smallstep/cli/blob/6b23538520fc8c720b067bec2fb7fe630f8825f4/command/certificate/create.go, and here's the definition of the flag https://github.com/smallstep/cli/blob/6b23538520fc8c720b067bec2fb7fe630f8825f4/flags/flags.go#L20-L37).

Down here (https://github.com/smallstep/cli/blob/6b23538520fc8c720b067bec2fb7fe630f8825f4/command/certificate/create.go#L662-L669) we use that flag to generate a new key pair. In the step ca init command (https://github.com/smallstep/cli/blob/6b23538520fc8c720b067bec2fb7fe630f8825f4/command/ca/init.go) we'll want to do the same thing. Instead of using default values for the key type and size.

I think the actual code changes will need to be made in the certficiates repo, unfortunately. https://github.com/smallstep/certificates/blob/master/pki/pki.go#L506 -- anywhere CreateKey is called.