certsetup

package

v0.0.0-...-fa8cb71 Latest Latest Go to latest Published: Nov 10, 2021 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package certsetup with server side creation of self signed certificate chain using ECDSA Credits: https://gist.github.com/shaneutt/5e1995295cff6721c89a71d13a71c251 keys

Index ¶

Constants
func CreateCertificateBundle(names []string, certFolder string) error
func CreateHubCA() (cert *x509.Certificate, key *ecdsa.PrivateKey)
func CreateHubClientCert(clientID string, ou string, ownerPubKey *ecdsa.PublicKey, ...) (clientCert *x509.Certificate, err error)
func CreateHubServerCert(names []string, caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey) (cert *tls.Certificate, err error)

Constants ¶

View Source

const (
	// Default OU with no API access permissions
	OUNone = ""

	// OUClient lets a client connect to the message bus
	OUClient = "client"

	// OUIoTDevice indicates the client is a IoT device that can connect to the message bus
	// perform discovery and request provisioning.
	// Provision API permissions: GetDirectory, ProvisionRequest, GetStatus
	OUIoTDevice = "iotdevice"

	//OUAdmin lets a client approve thing provisioning (postOOB), add and remove users
	// Provision API permissions: GetDirectory, ProvisionRequest, GetStatus, PostOOB
	OUAdmin = "admin"

	// OUPlugin marks a client as a plugin.
	// By default, plugins have full permission to all APIs
	// Provision API permissions: Any
	OUPlugin = "plugin"

	// OUService marks a certificate as that of a Hub service.
	// By default, services have full permission to all APIs
	// Provision API permissions: Any
	OUService = "service"
)

Organization Unit for client authorization are stored in the client certificate OU field

View Source

const CertOrgLocality = "WoST zone"

View Source

const CertOrgName = "WoST"

Certificate organization name

View Source

const DefaultCertDurationDays = 365

View Source

const DefaultPluginClientID = "plugin"

DefaultPluginClientID in the certificate is standard for all plugins

View Source

const TempCertDurationDays = 1

Variables ¶

This section is empty.

Functions ¶

func CreateCertificateBundle ¶

func CreateCertificateBundle(names []string, certFolder string) error

CreateCertificateBundle is a convenience function to create the Hub CA, server and (plugin) client certificates into the given folder.

The CA certificate will only be created if missing
The plugin keys and certificate will always be recreated
The service keys and certificate will always be recreated
names contain the list of hostname and ip addresses the hub can be reached at. Used in hub cert. certFolder where to create the certificates

func CreateHubCA ¶

func CreateHubCA() (cert *x509.Certificate, key *ecdsa.PrivateKey)

CreateHubCA creates WoST Hub Root CA certificate and private key for signing server certificates Source: https://shaneutt.com/blog/golang-ca-and-signed-cert-go/ This creates a CA certificate used for signing client and server certificates. CA is valid for 'caDurationYears'

temporary set to generate a temporary CA for one-off signing

func CreateHubClientCert ¶

func CreateHubClientCert(clientID string, ou string,
	ownerPubKey *ecdsa.PublicKey, caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey,
	start time.Time, durationDays int) (clientCert *x509.Certificate, err error)

CreateHubClientCert creates a hub client certificate for mutual authentication from client's public key The client role is intended to for role based authorization. It is stored in the certificate OrganizationalUnit. See OUxxx

This generates a TLS client certificate with keys

clientID used as the CommonName, eg pluginID or deviceID
ou of the client role, eg OUNone, OUClient, OUPlugin
ownerPubKey the public key of the certificate holder
caCert CA's certificate for signing
caPrivKey CA's ECDSA key for signing
start time the certificate is first valid. Intended for testing. Use time.now()
durationDays nr of days the certificate will be valid

Returns the signed TLS certificate or error

func CreateHubServerCert ¶

func CreateHubServerCert(names []string, caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey) (cert *tls.Certificate, err error)

CreateHubServerCert creates a new Hub service certificate and private key The certificate is valid for the given names either local domain name and IP addresses. The server must have a fixed IP.

names contains one or more domain names and/or IP addresses the Hub can be reached on, to add to the certificate
caCert is the CA to sign the server certificate
caPrivKey is the CA private key to sign the server certificate

returns the signed Server TLS certificate

Types ¶

This section is empty.

Source Files ¶

View all Source files

CertSetup.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL