genpki

command

v0.0.0-...-0d210ac Latest Latest Go to latest Published: Mar 30, 2021 License: MPL-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mozilla-services/autograph

README ¶

genpki

Simple utility to create a PKI for a contentsignaturepki signer.

It supports both SoftHSM and local key generation, but softhsm being the default. Use -no-hsm to create key in regular files instead.

Example

SoftHSM


First initialize a softhsm environment with

```bash
mkdir -p /var/lib/softhsm/tokens
softhsm2-util --init-token --slot 0 --label test --pin 0000 --so-pin 0000
```      

The configuration for how to talk to softhsm is kept in genpki.go
```go
p11Ctx, err := crypto11.Configure(&crypto11.PKCS11Config{
    Path:       "/usr/lib/softhsm/libsofthsm2.so",
    TokenLabel: "test",
    Pin:        "0000",
})
```

Then run the `genpki` tool. Genpki outputs the label of the root and intermediate keys in the HSM, and writes their public certificates to temp files.

```bash
$ go run genpki.go
2019/02/22 12:09:07 Using HSM on slot 1623786617
root key name: csroot1550855347
root cert path: /tmp/csrootcert097998013
inter key name: csinter1550855347
inter cert path: /tmp/csintercert802092792
```

The corresponding autograph configuration would be
```yaml
  - id: foo
    type: contentsignaturepki
    validity: 708h
    clockskewtolerance: 720h
    chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/
    x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/
    privatekey: csinter1550855347
    publickey: CONTENT_OF_/tmp/csintercert802092792
    cacert: CONTENT_OF_/tmp/csrootcert097998013
```

Local (No HSM)

With the -no-hsm flag set, genpki would write the private keys of the root CA and intermediate issuer to temp files instead. The private key of the intermediate issuer can then be added to the autograph privatekey signer configuration (instead of referencing the label of the key in the HSM).

$ go run genpki.go -no-hsm
[...]
root privkey path: /tmp/csrootkey339824548
inter privkey path: /tmp/csinterkey276780723

The corresponding autograph configuration would be

  - id: foo
    type: contentsignaturepki
    validity: 708h
    clockskewtolerance: 720h
    chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/
    x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/
    privatekey: CONTENT_OF_/tmp/csinterkey276780723
    publickey: CONTENT_OF_/tmp/csintercert802092792
    cacert: CONTENT_OF_/tmp/csrootcert097998013

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

genpki.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL