Documentation
¶
Overview ¶
Package tinyca implements a small and flexible Certificate Authority. The CA issues client certificates signed by a root certificate and private key.
tinyca exposes a simple HTTP API to issue certificates. tinyca is primarily meant to issue client certificates for mTLS authentication.
The CA also provides an interface to customize the certificate template. This allows applications to add application-specific data to issued certificates, along with the standard bifrost fields.
Index ¶
Constants ¶
const MaxIssueValidity = 30 * 24 * time.Hour
MaxIssueValidity is the maximum validity period for issued certificates.
Variables ¶
This section is empty.
Functions ¶
func CACertTemplate ¶ added in v1.16.8
func CACertTemplate(ns, id uuid.UUID) (*x509.Certificate, error)
CACertTemplate returns a new x509.Certificate template for a CA certificate.
func ParseValidity ¶ added in v1.16.8
ParseValidity parses notBefore and notAfter into time.Time values. notBefore and notAfter can either be in RFC3339 format or a duration offset from the current time. Offset durations are parsed using time.ParseDuration. If notBefore is empty or set to "now", it defaults to the current time. If notAfter is empty, it behaves as if it is set to "+1h". Negative validity periods are not allowed.
func TLSClientCertTemplate ¶ added in v1.16.8
func TLSClientCertTemplate() *x509.Certificate
TLSClientCertTemplate returns a new x509.Certificate template for a client certificate.
Types ¶
type CA ¶
type CA struct {
// contains filtered or unexported fields
}
CA is a simple Certificate Authority. The CA issues client certificates signed by a root certificate and private key.
func New ¶
func New( cert *bifrost.Certificate, key *bifrost.PrivateKey, gauntlet Gauntlet, ) (*CA, error)
New returns a new Certificate Authority. CA signs client certificates with the provided root certificate and private key. CA uses the provided gauntlet func to customise issued certificates.
func (CA) IssueCertificate ¶
IssueCertificate issues a client certificate for a valid certificate request parsed from asn1CSR.
func (CA) ServeHTTP ¶
func (ca CA) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP issues a certificate if a valid certificate request is read from the request.
Requests carrying a content-type of "text/plain" should have a PEM encoded certificate request. Requests carrying a content-type of "application/octet-stream" should submit the ASN.1 DER encoded form instead.
type Gauntlet ¶ added in v1.19.0
type Gauntlet func(csr *bifrost.CertificateRequest) (tmpl *x509.Certificate, err error)
Gauntlet is the signature for a function that validates a certificate request. If the second return value is non-nil, then the certificate request is denied. If the first return value is nil, the default template TLSClientCertTemplate will be used. The template will be used to issue a client certificate. Consult the x509 package for the full list of fields that can be set. tinyca will overwrite the following template fields:
- NotBefore
- NotAfter
- SignatureAlgorithm
- Issuer
- Subject.Organization
- Subject.CommonName
- BasicConstraintsValid
If SerialNumber is nil, a random value will be generated.