README
¶
Go Certificate Authority management package
GocA provides a Certificate Authority (CA) framework managing, a Simple PKI.
GoCA is a framework that uses mainly crypto/x509 to manage Certificate Authorities.
Using GoCA makes it easy to create a CA and issue certificates, signing Certificates Signing Request (CSR), and revoke certificate generating Certificates Request List (CRL).
Content:
GoCA Package
go get http://github.com/kairoaraujo/goca
All files are store in the $CAPATH. The $CAPATH is an environment
variable that defines where all files (keys, certificates, etc.) are stored.
It is essential to have this folder in a safe place.
$CPATH structure:
$CPATH
├── <CA Common Name>
├── ca
│ ├── <CA Common Name>.crl
│ ├── <CA Common Name>.crt
│ ├── key.pem
│ └── key.pub
└── certs
└── <Certificate Common Name>
├── <Certificate Common Name>.crt
├── <Certificate Common Name>.csr
├── key.pem
└── key.pub
GoCA also make it easier to manipulate files such as Private and Public Keys, Certificate Signing Request, Certificate Request Lists, and Certificates for other Go applications.
This example shows
- Creating a Certificate Authority (Root) or Loading if it already exists
- Issue a new Certificate
- Shows the certificate
// Define the GOCAPTH (Default is current dir)
os.Setenv("CAPATH", "/opt/GoCA/CA")
// RootCAIdentity for creation
rootCAIdentity := goca.Identity{
Organization: "GO CA Root Company Inc.",
OrganizationalUnit: "Certificates Management",
Country: "NL",
Locality: "Noord-Brabant",
Province: "Veldhoven",
Intermediate: false,
}
// (1) Create the New Root CA or loads existent from disk ($CAPATH)
RootCA, err := goca.New("mycompany.com", rootCAIdentity)
if err != nil {
// Loads in case it exists
fmt.Println("Loading CA")
RootCA, err = goca.Load("gocaroot.nl")
if err != nil {
log.Fatal(err)
}
// Check the CA status and shows the CA Certificate
fmt.Println(RootCA.Status())
fmt.Println(RootCA.GetCertificate())
} else {
log.Fatal(err)
}
// (2) Issue certificate for example intranet server
intranetIdentity := goca.Identity{
Organization: "Intranet Company Inc.",
OrganizationalUnit: "Global Intranet",
Country: "NL",
Locality: "Noord-Brabant",
Province: "Veldhoven",
Intermediate: false,
DNSNames: []string{"w3.intranet.example.com", "www.intranet.example.com"},
}
intranetCert, err := RootCA.IssueCertificate("intranet.example.com", intranetIdentity)
if err != nil {
log.Fatal(err)
}
// (3) Shows the Certificate (string)
fmt.Println(intranetCert.GetCertificate())
// Shows all CA Certificates
fmt.Println(RootCA.ListCertificates())
GoCA HTTP REST API
GoCA also provides an implementation using HTTP REST API.
This is available in rest-api folder.
GoCA Docker Container
GoCA Docker ready to use HTTP Rest API that uses mainly crypto/x509 to manage Certificate Authorities and Certificates such as a simple PKI Service.
The API Documentation is online available at http://kairoaraujo.github.io/goca/.
More details in Docker README.
GoCA Docker Image is available at https://hub.docker.com/r/kairoaraujo/goca/
Documentation
¶
Overview ¶
Package goca provides Certificate Authority (CA) framework managing
GoCA is an API Framework that uses mainly crypto/x509 to manage Certificate Authorities.
Using GoCA makes easy to create a CA and issue certificates, signing Certificates Signing Request (CSR) and revoke certificate generating Certificates Request List (CRL).
All files are stored in the “$CAPATH“. The “$CAPATH“ is an environment variable the defines were all files (keys, certificates, etc) will be stored. It is importante to have this folder in a safety place.
GoCA also make easier manipulate files such as Private and Public Keys, Certificate Signing Request, Certificate Request Lists and Certificates for other Go applications.
Index ¶
- Variables
- func GeneratePkcs12(certificate *Certificate, passphrase string, otherCaCerts ...*x509.Certificate) (pfxData []byte, err error)
- type CA
- func (c *CA) GetCRL() string
- func (c *CA) GetCertificate() string
- func (c *CA) GetPrivateKey() string
- func (c *CA) GetPublicKey() string
- func (c *CA) GoCRL() *pkix.CertificateList
- func (c *CA) GoCertificate() *x509.Certificate
- func (c *CA) GoPrivateKey() *rsa.PrivateKey
- func (c *CA) GoPublicKey() *rsa.PublicKey
- func (c *CA) IsIntermediate() bool
- func (c *CA) IssueCertificate(commonName string, id Identity) (certificate *Certificate, err error)
- func (c *CA) LoadCA(privateKeyPem []byte, publicKeyPem []byte, certPem []byte, crlPem []byte) error
- func (c *CA) RevokeCertificate(certificate *x509.Certificate) error
- func (c *CA) SignCSR(csr *x509.CertificateRequest, valid int) (certificate *Certificate, err error)
- func (c *CA) Status() string
- type CAData
- type Certificate
- type Identity
Constants ¶
This section is empty.
Variables ¶
var ErrCAMissingInfo = errors.New("all CA details ('Organization', 'Organizational Unit', 'Country', 'Locality', 'Province') are required")
ErrCAMissingInfo means that all information goca.Information{} is required
var ErrCertRevoked = errors.New("the requested Certificate is already revoked")
ErrCertRevoked means that certificate was not found in $CAPATH to be loaded.
var ErrParentCommonNameNotSpecified = errors.New("parent common name is empty when creating an intermediate CA certificate")
Functions ¶
func GeneratePkcs12 ¶ added in v1.0.3
func GeneratePkcs12(certificate *Certificate, passphrase string, otherCaCerts ...*x509.Certificate) (pfxData []byte, err error)
Types ¶
type CA ¶
type CA struct {
CommonName string // Certificate Authority Common Name
Data CAData // Certificate Authority Data (CAData{})
}
CA represents the basic CA data
func NewCA ¶
func NewCA(commonName string, parentCertificate *x509.Certificate, parentPrivateKey *rsa.PrivateKey, identity Identity) (ca *CA, err error)
New create a new Certificate Authority
func (*CA) GetCertificate ¶
GetCertificate returns Certificate Authority Certificate as string
func (*CA) GetPrivateKey ¶
GetPrivateKey returns the Private Key as string
func (*CA) GetPublicKey ¶
GetPublicKey returns the PublicKey as string
func (*CA) GoCRL ¶
func (c *CA) GoCRL() *pkix.CertificateList
GoCRL returns Certificate Revocation List as Go bytes *pkix.CertificateList
func (*CA) GoCertificate ¶
func (c *CA) GoCertificate() *x509.Certificate
GoCertificate returns Certificate Authority Certificate as Go bytes *x509.Certificate
func (*CA) GoPrivateKey ¶
func (c *CA) GoPrivateKey() *rsa.PrivateKey
GoPrivateKey returns the Private Key as Go bytes rsa.PrivateKey
func (*CA) GoPublicKey ¶
GoPublicKey returns the Public Key as Go bytes rsa.PublicKey
func (*CA) IsIntermediate ¶
IsIntermediate returns if the CA is Intermediate CA (true)
func (*CA) IssueCertificate ¶
func (c *CA) IssueCertificate(commonName string, id Identity) (certificate *Certificate, err error)
IssueCertificate creates a new certificate
It is import create an Identity{} with Certificate Client/Server information.
func (*CA) RevokeCertificate ¶
func (c *CA) RevokeCertificate(certificate *x509.Certificate) error
RevokeCertificate revokes a certificate managed by the Certificate Authority
func (*CA) SignCSR ¶
func (c *CA) SignCSR(csr *x509.CertificateRequest, valid int) (certificate *Certificate, err error)
SignCSR perform a creation of certificate from a CSR (x509.CertificateRequest) and returns *x509.Certificate
type CAData ¶
type CAData struct {
CRL string `json:"crl" example:"-----BEGIN X509 CRL-----...-----END X509 CRL-----\n"` // Revocation List string
Certificate string `json:"certificate" example:"-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----\n"` // Certificate string
//CSR string `json:"csr" example:"-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----\n"` // Certificate Signing Request string
PrivateKey string `json:"private_key" example:"-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n"` // Private Key string
PublicKey string `json:"public_key" example:"-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----\n"` // Public Key string
IsIntermediate bool
// contains filtered or unexported fields
}
A CAData represents all the Certificate Authority Data as RSA Keys, CRS, CRL, Certificates etc
type Certificate ¶
type Certificate struct {
Certificate string `json:"certificate" example:"-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----\n"` // Certificate certificate string
CSR string `json:"csr" example:"-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----\n"` // Certificate Signing Request string
RsaPrivateKey string `json:"rsa_private_key" example:"-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----\n"` // Certificate Private Key string
PrivateKey string `json:"private_key" example:"-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n"` // Certificate Private Key string
PublicKey string `json:"public_key" example:"-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----\n"` // Certificate Public Key string
CACertificate string `json:"ca_certificate" example:"-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----\n"` // CA Certificate as string
// contains filtered or unexported fields
}
Certificate represents a Certificate data
func (*Certificate) GetCACertificate ¶
func (c *Certificate) GetCACertificate() string
GetCACertificate returns the certificate as string.
func (*Certificate) GetCSR ¶
func (c *Certificate) GetCSR() string
GetCSR returns the certificate as string.
func (*Certificate) GetCertificate ¶
func (c *Certificate) GetCertificate() string
GetCertificate returns the certificate as string.
func (*Certificate) GoCACertificate ¶
func (c *Certificate) GoCACertificate() *x509.Certificate
GoCACertificate returns the certificate *x509.Certificate.
func (*Certificate) GoCSR ¶
func (c *Certificate) GoCSR() *x509.CertificateRequest
GoCSR returns the certificate as Go x509.Certificate.
func (*Certificate) GoCert ¶
func (c *Certificate) GoCert() *x509.Certificate
GoCert returns the certificate as Go x509.Certificate.
type Identity ¶
type Identity struct {
Organization string `json:"organization" example:"Company"` // Organization name
OrganizationalUnit string `json:"organization_unit" example:"Security Management"` // Organizational Unit name
Country string `json:"country" example:"NL"` // Country (two letters)
Locality string `json:"locality" example:"Noord-Brabant"` // Locality name
Province string `json:"province" example:"Veldhoven"` // Province name
EmailAddresses string `json:"email" example:"sec@company.com"` // Email Address
DNSNames []string `json:"dns_names" example:"ca.example.com,root-ca.example.com"` // DNS Names list
IPAddresses []net.IP `json:"ip_addresses" example:"10.0.0.1,10.0.0.1"` // IP addresses list
Intermediate bool `json:"intermediate" example:"false"` // Intermendiate Certificate Authority (default is false)
KeyBitSize int `json:"key_size" example:"2048"` // Key Bit Size (defaul: 2048)
Valid int `json:"valid" example:"365"` // Minimum 1 day, maximum 825 days -- Default: 397
}
A Identity represents the Certificate Authority Identity Information
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package cert provides RSA Key API management for crypto/x509 certificates.
|
Package cert provides RSA Key API management for crypto/x509 certificates. |
|
Package key provides RSA Key API management for crypto/x509/rsa.
|
Package key provides RSA Key API management for crypto/x509/rsa. |