Switch to generating certs with openssl.

nix/kubernetes/keys/package/k8s-ca/package.nix

@@ -9,13 +9,12 @@
 # distPhase
 {
   stdenv,
-  sqlite,
-  cfssl,
+  openssl,
   ...
 }:
 stdenv.mkDerivation (finalAttrs: {
   name = "k8s-ca";
-  nativeBuildInputs = [ cfssl ];
+  nativeBuildInputs = [ openssl ];
   buildInputs = [ ];
 
   unpackPhase = "true";
@@ -23,6 +22,11 @@ stdenv.mkDerivation (finalAttrs: {
   installPhase = ''
     mkdir -p "$out"
     cd "$out"
-    cfssl gencert -initca ${./files/ca-csr.json} | cfssljson -bare ca
+
+    openssl genrsa -out ca.key 4096
+    openssl req -x509 -new -sha512 -noenc \
+            -key ca.key -days 3653 \
+            -config ${./files/ca.conf} \
+            -out ca.crt
   '';
 })