Documentation

Overview

    Package certauthority implements a simple x509 certificate authority suitable for use in an aggregated API service.

    Index

    Constants

    View Source
    const ErrInvalidCACertificate = constable.Error("invalid CA certificate")

      ErrInvalidCACertificate is returned when the contents of the loaded CA certificate do not meet our assumptions.

      Variables

      This section is empty.

      Functions

      func ToPEM

      func ToPEM(cert *tls.Certificate) ([]byte, []byte, error)

        Encode a tls.Certificate into a private key PEM and a cert chain PEM.

        Types

        type CA

        type CA struct {
        	// contains filtered or unexported fields
        }

          CA holds the state for a simple x509 certificate authority suitable for use in an aggregated API service.

          func Load

          func Load(certPEM string, keyPEM string) (*CA, error)

            Load a certificate authority from an existing certificate and private key (in PEM format).

            func New

            func New(commonName string, ttl time.Duration) (*CA, error)

              New generates a fresh certificate authority with the given Common Name and TTL.

              func (*CA) Bundle

              func (c *CA) Bundle() []byte

                Bundle returns the current CA signing bundle in concatenated PEM format.

                func (*CA) IssueClientCert

                func (c *CA) IssueClientCert(username string, groups []string, ttl time.Duration) (*tls.Certificate, error)

                  IssueClientCert issues a new client certificate with username and groups included in the Kube-style certificate subject for the given identity and duration.

                  func (*CA) IssueClientCertPEM

                  func (c *CA) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error)

                    Similar to IssueClientCert, but returning the new cert as a pair of PEM-formatted byte slices for the certificate and private key.

                    func (*CA) IssueServerCert

                    func (c *CA) IssueServerCert(dnsNames []string, ips []net.IP, ttl time.Duration) (*tls.Certificate, error)

                      IssueServerCert issues a new server certificate for the given identity and duration. The dnsNames and ips are each optional, but at least one of them should be specified.

                      func (*CA) IssueServerCertPEM

                      func (c *CA) IssueServerCertPEM(dnsNames []string, ips []net.IP, ttl time.Duration) ([]byte, []byte, error)

                        Similar to IssueServerCert, but returning the new cert as a pair of PEM-formatted byte slices for the certificate and private key.

                        func (*CA) Pool

                        func (c *CA) Pool() *x509.CertPool

                          Pool returns the current CA signing bundle as a *x509.CertPool.

                          func (*CA) PrivateKeyToPEM

                          func (c *CA) PrivateKeyToPEM() ([]byte, error)

                            PrivateKeyToPEM returns the current CA private key in PEM format, if this CA was constructed by New.

                            Directories

                            Path Synopsis
                            Package dynamiccertauthority implements a x509 certificate authority capable of issuing certificates from a dynamically updating CA keypair.
                            Package dynamiccertauthority implements a x509 certificate authority capable of issuing certificates from a dynamically updating CA keypair.