v1.20.1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2024 License: MIT Imports: 20 Imported by: 0



Package tinyca implements a small and flexible Certificate Authority. The CA issues client certificates signed by a root certificate and private key.

tinyca exposes a simple HTTP API to issue certificates. tinyca is primarily meant to issue client certificates for mTLS authentication.

The CA also provides an interface to customize the certificate template. This allows applications to add application-specific data to issued certificates, along with the standard bifrost fields.



View Source
const GauntletTimeout = 100 * time.Millisecond

GauntletTimeout is the maximum time the CA Gauntlet function is allowed to run.

View Source
const MaxIssueValidity = 30 * 24 * time.Hour

MaxIssueValidity is the maximum validity period for issued certificates.


This section is empty.


func CACertTemplate added in v1.16.8

func CACertTemplate(ns, id uuid.UUID) (*x509.Certificate, error)

CACertTemplate returns a new x509.Certificate template for a CA certificate.

func ParseValidity added in v1.16.8

func ParseValidity(notBefore string, notAfter string) (time.Time, time.Time, error)

ParseValidity parses notBefore and notAfter into time.Time values. notBefore and notAfter can either be in RFC3339 format or a duration offset from the current time. Offset durations are parsed using time.ParseDuration. If notBefore is empty or set to "now", it defaults to the current time. If notAfter is empty, it behaves as if it is set to "+1h". Negative validity periods are not allowed.

func TLSClientCertTemplate added in v1.16.8

func TLSClientCertTemplate() *x509.Certificate

TLSClientCertTemplate returns a new x509.Certificate template for a client certificate.


type CA

type CA struct {
	// contains filtered or unexported fields

CA is a simple Certificate Authority. The CA issues client certificates signed by a root certificate and private key. The CA provides an HTTP handler to issue certificates. The CA also provides a Gauntlet function to customize the certificate template. Call Close to release resources when done.

func New

func New(
	cert *bifrost.Certificate,
	key *bifrost.PrivateKey,
	gauntlet Gauntlet,
) (*CA, error)

New returns a new Certificate Authority. CA signs client certificates with the provided root certificate and private key. CA uses the provided gauntlet func to customise issued certificates.

func (*CA) Close added in v1.20.0

func (ca *CA) Close() error

Close releases resources held by the CA. Multiple calls to Close are safe.

func (*CA) IssueCertificate

func (ca *CA) IssueCertificate(asn1CSR []byte, notBefore, notAfter time.Time) ([]byte, error)

IssueCertificate issues a client certificate for a valid certificate request parsed from asn1CSR.

func (*CA) ServeHTTP

func (ca *CA) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP issues a certificate if a valid certificate request is read from the request.

Requests carrying a content-type of "text/plain" should have a PEM encoded certificate request. Requests carrying a content-type of "application/octet-stream" should submit the ASN.1 DER encoded form instead.

func (*CA) ServeMux added in v1.20.1

func (ca *CA) ServeMux() *http.ServeMux

ServeMux returns an http.ServeMux with the CA's HTTP handler registered at "POST /issue". The ServeMux also provides a "GET /namespace" endpoint that returns the namespace of the CA.

type Gauntlet added in v1.19.0

type Gauntlet func(ctx context.Context, csr *bifrost.CertificateRequest) (tmpl *x509.Certificate, err error)

Gauntlet is the signature for a function that validates a certificate request. If the second return value is non-nil, then the certificate request is denied. If the first return value is nil, the default template TLSClientCertTemplate will be used. If the function exceeds GauntletTimeout, ctx will be cancelled and the request will be denied with an error. The template will be used to issue a client certificate. Consult the x509 package for the full list of fields that can be set. tinyca will overwrite the following template fields:

  • NotBefore
  • NotAfter
  • SignatureAlgorithm
  • Issuer
  • Subject.Organization
  • Subject.CommonName
  • BasicConstraintsValid

If SerialNumber is nil, a random value will be generated.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL