Documentation ¶
Overview ¶
Package certsetup with server side creation of self signed certificate chain using ECDSA Credits: https://gist.github.com/shaneutt/5e1995295cff6721c89a71d13a71c251 keys
Index ¶
- Constants
- func CreateCertificateBundle(names []string, certFolder string) error
- func CreateHubCA() (cert *x509.Certificate, key *ecdsa.PrivateKey)
- func CreateHubClientCert(clientID string, ou string, ownerPubKey *ecdsa.PublicKey, ...) (clientCert *x509.Certificate, err error)
- func CreateHubServerCert(names []string, caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey) (cert *tls.Certificate, err error)
Constants ¶
const ( // Default OU with no API access permissions OUNone = "" // OUClient lets a client connect to the message bus OUClient = "client" // OUIoTDevice indicates the client is a IoT device that can connect to the message bus // perform discovery and request provisioning. // Provision API permissions: GetDirectory, ProvisionRequest, GetStatus OUIoTDevice = "iotdevice" //OUAdmin lets a client approve thing provisioning (postOOB), add and remove users // Provision API permissions: GetDirectory, ProvisionRequest, GetStatus, PostOOB OUAdmin = "admin" // OUPlugin marks a client as a plugin. // By default, plugins have full permission to all APIs // Provision API permissions: Any OUPlugin = "plugin" // OUService marks a certificate as that of a Hub service. // By default, services have full permission to all APIs // Provision API permissions: Any OUService = "service" )
Organization Unit for client authorization are stored in the client certificate OU field
const CertOrgLocality = "WoST zone"
const CertOrgName = "WoST"
Certificate organization name
const DefaultCertDurationDays = 365
const DefaultPluginClientID = "plugin"
DefaultPluginClientID in the certificate is standard for all plugins
const TempCertDurationDays = 1
Variables ¶
This section is empty.
Functions ¶
func CreateCertificateBundle ¶
CreateCertificateBundle is a convenience function to create the Hub CA, server and (plugin) client certificates into the given folder.
The CA certificate will only be created if missing
The plugin keys and certificate will always be recreated
The service keys and certificate will always be recreated
names contain the list of hostname and ip addresses the hub can be reached at. Used in hub cert. certFolder where to create the certificates
func CreateHubCA ¶
func CreateHubCA() (cert *x509.Certificate, key *ecdsa.PrivateKey)
CreateHubCA creates WoST Hub Root CA certificate and private key for signing server certificates Source: https://shaneutt.com/blog/golang-ca-and-signed-cert-go/ This creates a CA certificate used for signing client and server certificates. CA is valid for 'caDurationYears'
temporary set to generate a temporary CA for one-off signing
func CreateHubClientCert ¶
func CreateHubClientCert(clientID string, ou string, ownerPubKey *ecdsa.PublicKey, caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey, start time.Time, durationDays int) (clientCert *x509.Certificate, err error)
CreateHubClientCert creates a hub client certificate for mutual authentication from client's public key The client role is intended to for role based authorization. It is stored in the certificate OrganizationalUnit. See OUxxx
This generates a TLS client certificate with keys
clientID used as the CommonName, eg pluginID or deviceID ou of the client role, eg OUNone, OUClient, OUPlugin ownerPubKey the public key of the certificate holder caCert CA's certificate for signing caPrivKey CA's ECDSA key for signing start time the certificate is first valid. Intended for testing. Use time.now() durationDays nr of days the certificate will be valid
Returns the signed TLS certificate or error
func CreateHubServerCert ¶
func CreateHubServerCert(names []string, caCert *x509.Certificate, caPrivKey *ecdsa.PrivateKey) (cert *tls.Certificate, err error)
CreateHubServerCert creates a new Hub service certificate and private key The certificate is valid for the given names either local domain name and IP addresses. The server must have a fixed IP.
names contains one or more domain names and/or IP addresses the Hub can be reached on, to add to the certificate caCert is the CA to sign the server certificate caPrivKey is the CA private key to sign the server certificate
returns the signed Server TLS certificate
Types ¶
This section is empty.