minica

Documentation

Index

• type CA
  • func New(opts ...Option) (*CA, error)
  • func (c *CA) Sign(template *x509.Certificate) (*x509.Certificate, error)
  • func (c *CA) SignCSR(csr *x509.CertificateRequest, opts ...SignOption) (*x509.Certificate, error)
  • func (c *CA) SignSSH(template *ssh.Certificate) (*ssh.Certificate, error)
• type Option
  • func WithGetSignerFunc(fn func() (crypto.Signer, error)) Option
  • func WithIntermediateTemplate(template string) Option
  • func WithName(name string) Option
  • func WithRootTemplate(template string) Option
• type SignOption
  • func WithModifyFunc(fn func(*x509.Certificate) error) SignOption
  • func WithTemplate(template string) SignOption

Types

type CA

type CA struct {
	Root          *x509.Certificate
	RootSigner    crypto.Signer
	Intermediate  *x509.Certificate
	Signer        crypto.Signer
	SSHHostSigner ssh.Signer
	SSHUserSigner ssh.Signer
}

CA is the implementation of a simple X.509 and SSH CA.

func New

func New(opts ...Option) (*CA, error)

New creates a new MiniCA, the custom options allows to overwrite templates, signer types and certificate names.

func (*CA) Sign

func (c *CA) Sign(template *x509.Certificate) (*x509.Certificate, error)

Sign signs an X.509 certificate template using the intermediate certificate. Sign will automatically populate the following fields if they are not specified:

• NotBefore will be set to the current time.
• NotAfter will be set to 24 hours after NotBefore.
• SerialNumber will be automatically generated.
• SubjectKeyId will be automatically generated.

func (*CA) SignCSR

func (c *CA) SignCSR(csr *x509.CertificateRequest, opts ...SignOption) (*x509.Certificate, error)

SignCSR signs an X.509 certificate signing request. The custom options allows to change the template used to convert the CSR to a certificate.

func (*CA) SignSSH

func (c *CA) SignSSH(template *ssh.Certificate) (*ssh.Certificate, error)

SignSSH signs an SSH host or user certificate. SignSSH will automatically populate the following fields if they are not specified:

• ValidAfter will be set to the current time unless ValidBefore is set to ssh.CertTimeInfinity.
• ValidBefore will be set to 24 hours after ValidAfter.
• Nonce will be automatically generated.
• Serial will be automatically generated.

If the SSH signer is an RSA key, it will use rsa-sha2-256 instead of the default ssh-rsa (SHA-1), this method is currently deprecated and rsa-sha2-256/512 are supported since OpenSSH 7.2 (2016).

type Option

type Option func(o *options)

Option is the type used to pass custom attributes to the constructor.

func WithGetSignerFunc

func WithGetSignerFunc(fn func() (crypto.Signer, error)) Option

WithGetSignerFunc is an option that allows to overwrite the default function to create a signer.

func WithIntermediateTemplate

func WithIntermediateTemplate(template string) Option

WithIntermediateTemplate is an option that allows to overwrite the template used to create the intermediate certificate.

func WithName

func WithName(name string) Option

WithName is an option that allows to overwrite the default name MiniCA. With the default templates, the root and intermediate certificate common names would be "<name> Root CA" and "<name> Intermediate CA".

func WithRootTemplate

func WithRootTemplate(template string) Option

WithRootTemplate is an option that allows to overwrite the template used to create the root certificate.

type SignOption

type SignOption func(o *signOptions)

SignOption is the type used to pass custom attributes when signing a certificate request.

func WithModifyFunc

func WithModifyFunc(fn func(*x509.Certificate) error) SignOption

WithModifyFunc allows to update the certificate template before the signing it.

func WithTemplate

func WithTemplate(template string) SignOption

WithTemplate allows to update the template used to convert a CSR into a certificate.