README ¶
certdb usage
Using a database enables additional functionality for existing commands when a db config is provided:
sign
andgencert
add a certificate to the certdb after signing itserve
enables database functionality for the sign and revoke endpoints
A database is required for the following:
revoke
marks certificates revoked in the database with an optional reasonocsprefresh
refreshes the table of cached OCSP responsesocspdump
outputs cached OCSP responses in a concatenated base64-encoded format
Setup/Migration
This directory stores goose db migration scripts for various DB backends. Currently supported:
- SQLite in sqlite
- PostgreSQL in pg
Get goose
go get https://bitbucket.org/liamstask/goose/
Use goose to start and terminate a SQLite DB
To start a SQLite DB using goose:
goose -path $GOPATH/src/github.com/cloudflare/cfssl/certdb/sqlite up'
To tear down a SQLite DB using goose
goose -path $GOPATH/src/github.com/cloudflare/cfssl/certdb/sqlite down
Use goose to start and terminate a PostgreSQL DB
To start a PostgreSQL using goose:
goose -path $GOPATH/src/github.com/cloudflare/cfssl/certdb/pg up
To tear down a PostgreSQL DB using goose
goose -path $GOPATH/src/github.com/cloudflare/cfssl/certdb/pg down
Note: the administration of PostgreSQL DB is not included. We assume the databases being connected to are already created and access control are properly handled.
CFSSL Configuration
Several cfssl commands take a -db-config flag. Create a file with a JSON dictionary:
{"driver":"sqlite3","data_source":"certs.db"}
or
{"driver":"postgres","data_source":"postgres://user:password@host/db"}
Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Accessor ¶
type Accessor interface { InsertCertificate(cr CertificateRecord) error GetCertificate(serial, aki string) ([]CertificateRecord, error) GetUnexpiredCertificates() ([]CertificateRecord, error) RevokeCertificate(serial, aki string, reasonCode int) error InsertOCSP(rr OCSPRecord) error GetOCSP(serial, aki string) ([]OCSPRecord, error) GetUnexpiredOCSPs() ([]OCSPRecord, error) UpdateOCSP(serial, aki, body string, expiry time.Time) error UpsertOCSP(serial, aki, body string, expiry time.Time) error }
Accessor abstracts the CRUD of certdb objects from a DB.
type CertificateRecord ¶
type CertificateRecord struct { Serial string `sql:"serial_number"` AKI string `sql:"authority_key_identifier"` CALabel string `sql:"ca_label"` Status string `sql:"status"` Reason int `sql:"reason"` Expiry time.Time `sql:"expiry"` RevokedAt time.Time `sql:"revoked_at"` PEM string `sql:"pem"` }
CertificateRecord encodes a certificate and its metadata that will be recorded in a database.