The highest tagged major version is
Documentation
¶
Index ¶
- func GetRootCAs(path string) (*x509.CertPool, error)
- type Certificate
- type GetCertificateFunc
- type LoadX509KeyPairFunc
- type Manager
- func (m *Manager) AddCertificate(certFile, keyFile string) (err error)
- func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (m *Manager) GetClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)
- func (m *Manager) ReloadCerts()
- func (m *Manager) ReloadOnSignal(sig ...os.Signal)
- func (m *Manager) UpdateReloadDuration(t time.Duration)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetRootCAs ¶
GetRootCAs loads all X.509 certificates at the given path and adds them to the list of system root CAs, if available. The returned CA pool is a conjunction of the system root CAs and the certificate(s) at the given path.
If path is a regular file, LoadCAs simply adds it to the CA pool if the file contains a valid X.509 certificate
If the path points to a directory, LoadCAs iterates over all top-level files within the directory and adds them to the CA pool if they contain a valid X.509 certificate.
Types ¶
type Certificate ¶ added in v1.3.0
type Certificate struct {
// contains filtered or unexported fields
}
Certificate is a chain of one or more reloadable certificates.
func NewCertificate ¶ added in v1.3.0
func NewCertificate(certFile, keyFile string, loadX509KeyPair LoadX509KeyPairFunc) (*Certificate, error)
NewCertificate returns a new Certificate from the given certficate and private key file. On a reload event, the certificate is reloaded using the loadX509KeyPair function.
func (*Certificate) Get ¶ added in v1.3.0
func (c *Certificate) Get() tls.Certificate
Get returns the current TLS certificate.
func (*Certificate) Notify ¶ added in v1.3.0
func (c *Certificate) Notify(events chan<- tls.Certificate)
Notify notifies the given events channel whenever the certificate has been reloaded successfully. The new certificate is sent to the channel receiver.
func (*Certificate) Reload ¶ added in v1.3.0
func (c *Certificate) Reload() error
Reload reloads the certificate and sends notifications to all listeners that subscribed via Notify.
func (*Certificate) Stop ¶ added in v1.3.0
func (c *Certificate) Stop(events chan<- tls.Certificate)
Stop stops notifying the given events channel whenever the certificate has been reloaded successfully.
func (*Certificate) Watch ¶ added in v1.3.0
Watch starts watching the certificate and private key file for any changes and reloads the Certificate whenever a change is detected.
Additionally, Watch listens on the given list of OS signals and reloads the Certificate whenever it encounters one of the signals. Further, Watch reloads the certificate periodically if interval > 0.
type GetCertificateFunc ¶
type GetCertificateFunc func(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificateFunc is a callback that allows a TLS stack deliver different certificates based on the client trying to establish a TLS connection.
For example, a GetCertificateFunc can return different TLS certificates depending upon the TLS SNI sent by the client.
type LoadX509KeyPairFunc ¶
type LoadX509KeyPairFunc func(certFile, keyFile string) (tls.Certificate, error)
LoadX509KeyPairFunc is a function that parses a private key and certificate file and returns a TLS certificate on success.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager is a TLS certificate manager that can handle multiple certificates. When a client tries to establish a TLS connection, Manager will try to pick a certificate that can be validated by the client.
For instance, if the client specifies a TLS SNI then Manager will try to find the corresponding certificate. If there is no such certificate it will fallback to the certificate named public.crt.
Manager will automatically reload certificates if the corresponding file changes.
func NewManager ¶
func NewManager(ctx context.Context, certFile, keyFile string, loadX509KeyPair LoadX509KeyPairFunc) (manager *Manager, err error)
NewManager returns a new Manager that handles one certificate specified via the certFile and keyFile. It will use the loadX509KeyPair function to (re)load certificates.
The certificate loaded from certFile is considered the default certificate. If a client does not send the TLS SNI extension then Manager will return this certificate.
func (*Manager) AddCertificate ¶
AddCertificate adds the TLS certificate in certFile resp. keyFile to the Manager.
If there is already a certificate with the same base name it will be replaced by the newly added one.
func (*Manager) GetCertificate ¶
func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns a TLS certificate based on the client hello.
It tries to find a certificate that would be accepted by the client according to the client hello. However, if no certificate can be found GetCertificate returns the certificate loaded from the Public file.
func (*Manager) GetClientCertificate ¶
func (m *Manager) GetClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificate returns a TLS certificate for mTLS based on the certificate request.
It tries to find a certificate that would be accepted by the server according to the certificate request. However, if no certificate can be found GetClientCertificate returns the certificate loaded from the Public file.
func (*Manager) ReloadCerts ¶ added in v1.1.8
func (m *Manager) ReloadCerts()
ReloadCerts will forcefully reload all certs.
func (*Manager) ReloadOnSignal ¶ added in v1.1.8
ReloadOnSignal specifies one or more signals that will trigger certificates reloading. If called multiple times with the same signal certificates
func (*Manager) UpdateReloadDuration ¶ added in v1.1.19
UpdateReloadDuration set custom symlink reload duration
Source Files