{ pkgs ? import <nixpkgs> {}, ca ? "", name ? "ca", ...}:
with pkgs;
let
  ca' =
    let
      ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
          key = {
              algo = "rsa";
              size = 2048;
          };
          names = [
            {
              CN = "${name}";
              O = "NixOS";
              OU = "${name}.pki.caSpec";
              L = "generated";
            }
          ];
        });
    in
      pkgs.runCommand "initca" {
        buildInputs = [ pkgs.cfssl ];
      } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
           mkdir -p $out; cp *.pem $out'';
   initca = if ca != "" then ca else ca';
in
  # make ca derivation sha depend on initca cfssl output
  pkgs.stdenv.mkDerivation {
    inherit name;
    src = initca;
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
    '';
  }