Documentation ¶
Overview ¶
Package autocert is an opinionated pki library for non-production use. This library can be used to set up a CA and sign certificates. There can only be 1 CA, and it must use a long-lived certificate (5+ years). All certificates use ed25519 public keys. CAs can be imported however they must be a root CA certificate.
Index ¶
- Variables
- func GetCACertificate() *x509.Certificate
- func GetCAKey(pemEncoded bool) []byte
- func GetPemEncodedCACertificate() []byte
- func ImportCA(certificate []byte, key []byte) error
- func InitialiseCA(certOpts *CertificateOptions) ([]byte, error)
- func RequestCertificate(certOpts *CertificateOptions) ([]byte, []byte, error)
- type CertificateOptions
Constants ¶
This section is empty.
Variables ¶
var ( // ErrCAAlreadyInitialised Returned when a CA initialisation request is made while there is already a CA ErrCAAlreadyInitialised = errors.New("CA is already initialised") // ErrCANotInitialised Returned when a certificate is requested but no CA is initialised ErrCANotInitialised = errors.New("CA has not been initialised") // ErrCAIsNotRootCA Returned when a CA is imported which is an intermediate CA certificate ErrCAIsNotRootCA = errors.New("CA must be a root CA") // ErrCertificateNotPemEncoded Returned when a CA is imported but the CA certificate is not PEM encoded ErrCertificateNotPemEncoded = errors.New("provided certificate was not PEM encoded") // ErrKeyNotPemEncoded Returned when a CA is imported but the CA private key is not PEM encoded ErrKeyNotPemEncoded = errors.New("provided key was not PEM encoded") // ErrNameNotProvided Returned when a certificate is requested but no SubjectName or Subject.CommonName is given ErrNameNotProvided = errors.New("certificate subject name not provided") // ErrCAExpiryDateBelowMinimum Returned when a CA is initialised with an expiry date less than 5 years from now ErrCAExpiryDateBelowMinimum = errors.New("CA certificate expiry date must be minimum of 5 years from now") // ErrCertExpiryExceedsMaximum Returned when a certificate is requested but the expiry date is greater than 1 hour from now ErrCertExpiryExceedsMaximum = errors.New("certificate expiry date exceeds maximum value of 1 hour from now") )
Functions ¶
func GetCACertificate ¶
func GetCACertificate() *x509.Certificate
GetCACertificate Returns the current CA certificate
func GetCAKey ¶
GetCAKey Return current CA private key. If pemEncoded is true, return PEM encoded key, otherwise return non pem encoded key
func GetPemEncodedCACertificate ¶
func GetPemEncodedCACertificate() []byte
GetPemEncodedCACertificate Returns current CA certificate, PEM encoded
func ImportCA ¶
ImportCA Parses a PEM encoded certificate and key, and sets it as the current CA. Must be a root CA certificate, intermediate CAs will return ErrCAIsNotRootCA
func InitialiseCA ¶
func InitialiseCA(certOpts *CertificateOptions) ([]byte, error)
InitialiseCA Creates a root CA and sets it as the current CA. Returns the CA certificate as raw bytes. If certOpts.IsPemEncoded is true, returns raw bytes PEM encoded
func RequestCertificate ¶
func RequestCertificate(certOpts *CertificateOptions) ([]byte, []byte, error)
RequestCertificate Returns a certificate signed by the current CA. Requires a CA to already be initialised. Returns the certificate and private key as raw bytes. If certOpts.IsPemEncoded is true, returns the certificate and key as PEM encoded byte arrays.
Types ¶
type CertificateOptions ¶
type CertificateOptions struct { // SubjectName Required field. Overrides Subject.CommonName. // If nil, ErrNameNotProvided is returned SubjectName string // Subject Optional details field for the certificate subject. // SubjectName will override the Subject.CommonName field Subject pkix.Name // ExpiryDate The time this certificate will expire. // CA certificates must be at least five years from now or ErrCAExpiryDateBelowMinimum will be returned. // Other certificates must be less than an hour from now or ErrCertExpiryExceedsMaximum will be returned. ExpiryDate time.Time // IsPemEncoded Dictates whether returned certificates are PEM encoded or not. // CA certificates are available both PEM encoded and non-PEM encoded, // when creating CA certificates, this option will only determine which is returned. IsPemEncoded bool // DNSNames DNS names which this certificate is valid for. DNSNames []string // IPAddresses IP addresses which this certificate is valid for. IPAddresses []net.IP // URIs URLs which this certificate is valid for. URIs []*url.URL }
CertificateOptions Configuration options for a certificate