Documentation ¶
Overview ¶
Package ca provides easy to use certificate authority related functions. This is a lightweight wrapper around "crypto/x509" package for creating CA certs, client certs, signing requests, and more.
Any "cert, key []byte" type of function parameters and return types are always PEM encoded X.509 certificate and private key pairs. You can store the certificate/key pair with standard naming as "cert.pem" and "key.pem" in the file system.
This package is mostly based on the example code provided at: http://golang.org/src/crypto/tls/generate_cert.go
Example ¶
Example demonstrating the use of neptulon/ca with a tls.Listener.
package main import ( "crypto/tls" "log" "time" "github.com/neptulon/ca" ) func main() { // create CA and server certificates along with ready-to-use tls.Conf object that uses generated certs certChain, certErr := ca.GenCertChain("FooBar", "127.0.0.1", "127.0.0.1", time.Hour, 512) if certErr != nil { log.Fatal(certErr) } /*listener*/ _, tlsErr := tls.Listen("tcp", "127.0.0.1:4444", certChain.ServerTLSConf) if tlsErr != nil { log.Fatal(tlsErr) } // todo: uncomment /*listener*/ and use listener.Accept() to start accepting connections }
Output:
Index ¶
- func GenCACert(subject pkix.Name, validFor time.Duration, keyLength int, ...) (cert, key []byte, err error)
- func GenClientCert(subject pkix.Name, validFor time.Duration, keyLength int, ...) (cert, key []byte, err error)
- func GenServerCert(subject pkix.Name, host string, validFor time.Duration, keyLength int, ...) (cert, key []byte, err error)
- type CertChain
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenCACert ¶
func GenCACert(subject pkix.Name, validFor time.Duration, keyLength int, signingCert, signingKey []byte) (cert, key []byte, err error)
GenCACert generates a CA certificate. If signingCert and signingKey are not provided, the certificate is created as a self-signed root CA. If signingCert and signingKey are provided, the certificate is created as an intermediate CA, signed with provided certificate. The generated certificate can only be used for signing other certificates and CRLs. The returned slices are the PEM encoded X.509 certificate and private key pair.
func GenClientCert ¶
func GenClientCert(subject pkix.Name, validFor time.Duration, keyLength int, signingCert, signingKey []byte) (cert, key []byte, err error)
GenClientCert generates a client certificate. The generated certificate will have its extended key usage set to 'client authentication' and will be ready for use in TLS client authentication. The returned slices are the PEM encoded X.509 certificate and private key pair.
func GenServerCert ¶
func GenServerCert(subject pkix.Name, host string, validFor time.Duration, keyLength int, signingCert, signingKey []byte) (cert, key []byte, err error)
GenServerCert generates a hosting certificate for TLS servers. host = Comma-separated hostnames and IPs to generate a certificate for. i.e. "localhost,127.0.0.1" The returned slices are the PEM encoded X.509 certificate and private key pair.
Types ¶
type CertChain ¶
type CertChain struct { RootCACert, RootCAKey, IntCACert, IntCAKey, ServerCert, ServerKey, ClientCert, ClientKey []byte ServerTLSConf, ClientTLSConf *tls.Config }
CertChain is a ready to use certificate chain object, created by GenCertChain function. Byte slices are the PEM encoded X.509 certificate and private key pairs. ServerTLSConf/ClientTLSConf are tead to use tls.Config objects for a TLS server and client.
func GenCertChain ¶
func GenCertChain(name, host, hostName string, validFor time.Duration, keyLength int) (c CertChain, err error)
GenCertChain generates an entire certificate chain with the following hierarchy: Root CA -> Intermediate CA -> Server Certificate & Client Certificate
name = Certificate name. i.e. FooBar host = Comma-separated hostnames and IPs to generate the server certificate for. i.e. "localhost,127.0.0.1" hostName = Server host address. i.e. foobar.com