certcut

package module
v0.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2023 License: MIT Imports: 15 Imported by: 0

README

certcut

Quick certificate generation and loading.

Install

go get -u github.com/grimdork/certcut

Why

I needed simpler, automated generation of self-signed server and client certificates for various projects, both gRPC client certificate authentication and other servers.

How

Generating a server certificate
// Create a server certificate and key
cacert, cakey, err := certcut.NewRootCert("Miskatonic U.", 4096) // 2048 is the default if you supply anything less
if err != nil {
	return err
}

Get the PEM with CertPEM() and PrivateKeyPEM(). You can load them with LoadCertFromPEM() and LoadPrivateKeyFromPEM(). Use x509.CreateRevocationList() to create CRLs, and load them with x509.LoadCRLFromPEM().

Note that this package only cares about the Common Name for certificates etc., as it's intended for internal use and not to generate certificates/signing requests for a public CA.

Signing a client certificate
// Continuing from the above example, we generate the key and cert for a client.
// The key will be 4096 bits.
crt, key, err := certcut.GetSignedCert(cacert, cakey, "Staff")
if err != nil {
	return err
}

If you want more control over the process, for example to store the signing request, you can use NewCSR() to generate a CSR, and then NewClientCert() to sign it.

gRPC

There's a convenience function for the grpc package to load both the CA cert and the client cert at once into a TLS config:

creds, err := certcut.NewClientTLSFromFiles("server.crt", "client.crt", "client.key")
...
conn, err := grpc.Dial(address, grpc.WithTransportCredentials(creds))

It's a drop-in replacement for gRPC's NewClientTLSFromFile().

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CSRPEM 

func CSRPEM(b []byte) []byte

CSRPEM converts a certificate signing request to PEM format.

func CertPEM 

func CertPEM(b []byte) []byte

CertPEM converts a certificate to PEM format.

func GetSignedCert added in v0.5.0 

func GetSignedCert(ca *x509.Certificate, cakey *rsa.PrivateKey, name string) (*x509.Certificate, *rsa.PrivateKey, error)

GetSignedCert returns a signed client certificate and key signed by the provided CA. It creates a CSR and discards it after use. The returned key is 4096 bits.

func HashSubjectKeyID 

func HashSubjectKeyID(key *rsa.PublicKey) ([]byte, error)

HashSubjectKeyID returns the hash for a public key.

func LoadCSRFromPEM 

func LoadCSRFromPEM(path string) (*x509.CertificateRequest, error)

LoadCSRFromPEM returns an x509 CertificateRequest.

func LoadCertFromPEM 

func LoadCertFromPEM(path string) (*x509.Certificate, error)

LoadCertFromPEM returns the raw bytes of a certificate.

func LoadPrivateKeyFromPEM 

func LoadPrivateKeyFromPEM(path string) (*rsa.PrivateKey, error)

LoadPrivateKeyFromPEM returns a parsed private key structure.

func LoadPublicKeyFromPEM 

func LoadPublicKeyFromPEM(path string) (any, error)

LoadPublicKeyFromPEM returns a parsed private key structure.

func NewCA 

func NewCA(key *rsa.PrivateKey, cn string) ([]byte, error)

NewCA creates a new certificate authority which further client certificates can be generated with. The NotAfter date is set to 10 years from now.

func NewCAFromTemplate added in v0.6.0 

func NewCAFromTemplate(key *rsa.PrivateKey, tpl *x509.Certificate) ([]byte, error)

NewCAFromTemplate creates a new certificate authority from a template for more control. The minimum field required is CommonName. A serial number will be generated, and empty dates will be filled in with the same defaults as NewCA. Empty KeyUsage fields will be filled in with x509.KeyUsageCertSign | x509.KeyUsageCRLSign.

func NewCSR 

func NewCSR(key *rsa.PrivateKey, cn string) ([]byte, error)

NewCSR creates a new certificate signing request.

func NewClientCert 

func NewClientCert(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, cn string, ca *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)

NewClientCert makes certificates for client authentication.

func NewClientCertFromTemplate added in v0.6.0 

func NewClientCertFromTemplate(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, tpl *x509.Certificate, ca *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)

NewClientCertFromTemplate makes certificates for client authentication from a template for more control. The minimum field required is CommonName. MaxPathLenZero is set to false to indicate it's a client certificate. A serial number will be generated, and empty dates will be filled in with the same defaults as NewClientCert.

func NewClientTLSFromFiles added in v0.3.0 

func NewClientTLSFromFiles(servercert, clientcert, clientkey string) (credentials.TransportCredentials, error)

NewClientTLSFromFiles is an improved version of gRPC's NewClientTLSFromFile which also loads the root certificate for the certificate authority so that connections actually work with verification.

func NewKey 

func NewKey(bits int) (*rsa.PrivateKey, error)

NewKey creates a new RSA key for certificate generation and signing.

func NewRootCert added in v0.5.0 

func NewRootCert(cn string, bits int) (*x509.Certificate, *rsa.PrivateKey, error)

NewRootCert creates a root certificate and its key in one function.

func NewSerial 

func NewSerial() (*big.Int, error)

NewSerial generates a random BigInt.

func NewTemplate 

func NewTemplate() *x509.Certificate

NewTemplate for server and client certificates.

func PrivateKeyPEM 

func PrivateKeyPEM(key *rsa.PrivateKey) []byte

PrivateKeyPEM converts a private key to PEM format.

func PublicKeyPEM 

func PublicKeyPEM(key *rsa.PublicKey) ([]byte, error)

PublicKeyPEM converts a public key to PEM format.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.