ca

Documentation

Index

• type CA
  • func New(rootPrivKey, intermPrivKey *ecdsa.PrivateKey) (*CA, error)
  • func (c *CA) GetIntermCACert() []byte
  • func (c *CA) GetMeshCACert() []byte
  • func (c *CA) GetRootCACert() []byte
  • func (c *CA) NewAttestedMeshCert(names []string, extensions []pkix.Extension, subjectPublicKey any) ([]byte, error)

Types

type CA

type CA struct {
	// contains filtered or unexported fields
}

CA is a cross-signing certificate authority.

It is configured with two private keys (root and intermediate) and generates corresponding CA certificates (root, intermediate and mesh) when created with New. The mesh certificate is self-signed and used for issuing workload certificates with NewAttestedMeshCert. It is usually bound to a single manifest. The intermediate cert uses the same key as the mesh cert, but is signed by the root key and thus links the workload cert to the root cert. The idea of cross-signing workload certs was adapted from MarbleRun, see: https://docs.edgeless.systems/marblerun/architecture/security#public-key-infrastructure-and-certificate-authority

func New

func New(rootPrivKey, intermPrivKey *ecdsa.PrivateKey) (*CA, error)

New creates a new CA.

func (*CA) GetIntermCACert

func (c *CA) GetIntermCACert() []byte

GetIntermCACert returns the intermediate CA certificate in PEM format.

func (*CA) GetMeshCACert

func (c *CA) GetMeshCACert() []byte

GetMeshCACert returns the mesh CA certificate of the CA in PEM format.

func (*CA) GetRootCACert

func (c *CA) GetRootCACert() []byte

GetRootCACert returns the root certificate of the CA in PEM format.

func (*CA) NewAttestedMeshCert

func (c *CA) NewAttestedMeshCert(names []string, extensions []pkix.Extension, subjectPublicKey any) ([]byte, error)

NewAttestedMeshCert creates a new attested mesh certificate.