{ pkgs ? import <nixpkgs> {}, ca ? null, name ? "ca", hosts ? [], ...}:
with pkgs;
let
  ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
      inherit hosts;
      CN = "${name}";
      key = {
          algo = "rsa";
          size = 2048;
      };
      names = [
        {
          CN = "${name}";
          O = "NixOS";
          OU = "${name}.pki.caSpec";
          L = "generated";
        }
      ];
    }
  );
  ca' =
      pkgs.runCommand "initca" {
        buildInputs = [ pkgs.cfssl ];
      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca;
           mkdir -p $out; cp *.pem $out '';
   initca = if ca != null then ca else ca';
in
  # make ca derivation sha depend on initca cfssl output
  pkgs.stdenv.mkDerivation {
    inherit name;
    src = initca;
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
    '';
  }