README
¶
easypki
Easy Public Key Infrastructure intends to provide most of the components needed to manage a PKI, so you can either use the API in your automation, or use the CLI.
API
For the latest API:
import "gopkg.in/google/easypki.v1"
Legacy API
API below pkg/ has been rewritten to allow extensibility in terms of PKI storage and better readability.
If you used the legacy API that was only writing files to disk, a tag has been applied so you can still import it:
import "gopkg.in/google/easypki.v0"
CLI
Current implementation of the CLI uses the local store and uses a structure compatible with openssl, so you are not restrained.
# Get the CLI:
go get github.com/google/easypki/cmd/easypki
# You can also pass the following through arguments if you do not want to use
# env variables.
export PKI_ROOT=/tmp/pki
export PKI_ORGANIZATION="Acme Inc."
export PKI_ORGANIZATIONAL_UNIT=IT
export PKI_COUNTRY=US
export PKI_LOCALITY="Agloe"
export PKI_PROVINCE="New York"
mkdir $PKI_ROOT
# Create the root CA:
easypki create --filename root --ca "Acme Inc. Certificate Authority"
# In the following commands, ca-name corresponds to the filename containing
# the CA.
# Create a server certificate for blog.acme.com and www.acme.com:
easypki create --ca-name root --dns blog.acme.com --dns www.acme.com www.acme.com
# Create an intermediate CA:
easypki create --ca-name root --filename intermediate --intermediate "Acme Inc. - Internal CA"
# Create a wildcard certificate for internal use, signed by the intermediate ca:
easypki create --ca-name intermediate --dns "*.internal.acme.com" "*.internal.acme.com"
# Create a client certificate:
easypki create --ca-name intermediate --client --email bob@acme.com bob@acme.com
# Revoke the www certificate.
easypki revoke $PKI_ROOT/root/certs/www.acme.com.crt
# Generate a CRL expiring in 1 day (PEM Output on stdout):
easypki crl --ca-name root --expire 1
You will find the generated certificates in $PKI_ROOT/ca_name/certs/ and
private keys in $PKI_ROOT/ca_name/keys/
For more info about available flags, checkout out the help easypki -h.
Disclaimer
This is not an official Google product.
Documentation
¶
Overview ¶
Package easypki provides helpers to manage a Public Key Infrastructure.
Index ¶
- Variables
- type EasyPKI
- func (e *EasyPKI) CRL(caName string, expire time.Time) ([]byte, error)
- func (e *EasyPKI) GetBundle(caName, name string) (*certificate.Bundle, error)
- func (e *EasyPKI) GetCA(name string) (*certificate.Bundle, error)
- func (e *EasyPKI) Revoke(caName string, cert *x509.Certificate) error
- func (e *EasyPKI) Sign(signer *certificate.Bundle, req *Request) error
- type Request
Constants ¶
This section is empty.
Variables ¶
var ( ErrCannotSelfSignNonCA = errors.New("cannot self sign non CA request") ErrMaxPathLenReached = errors.New("max path len reached") )
Signing errors.
Functions ¶
This section is empty.
Types ¶
type EasyPKI ¶
EasyPKI wraps helpers to handle a Public Key Infrastructure.
func (*EasyPKI) GetBundle ¶
func (e *EasyPKI) GetBundle(caName, name string) (*certificate.Bundle, error)
GetBundle fetches and returns a certificate bundle from the store.
func (*EasyPKI) GetCA ¶
func (e *EasyPKI) GetCA(name string) (*certificate.Bundle, error)
GetCA fetches and returns the named Certificate Authrority bundle from the store.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package certificate provide helpers to manipulate certificates.
|
Package certificate provide helpers to manipulate certificates. |
|
cmd
|
|
|
easypki
Command easypki provides a simple client to manage a local PKI.
|
Command easypki provides a simple client to manage a local PKI. |
|
example
|
|
|
Package store provides different methods to store a Public Key Infrastructure.
|
Package store provides different methods to store a Public Key Infrastructure. |