certcut

package module

v0.8.1 Latest Latest Go to latest Published: Jan 4, 2023 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grimdork/certcut

Links

Open Source Insights

README ¶

certcut

Quick certificate generation and loading.

Install

go get -u github.com/grimdork/certcut

Why

I needed simpler, automated generation of self-signed server and client certificates for various projects, both gRPC client certificate authentication and other servers.

How

Generating a server certificate

// Create a server certificate and key
cacert, cakey, err := certcut.NewRootCert("Miskatonic U.", 4096) // 2048 is the default if you supply anything less
if err != nil {
	return err
}

Get the PEM with CertPEM() and PrivateKeyPEM(). You can load them with LoadCertFromPEM() and LoadPrivateKeyFromPEM(). Use x509.CreateRevocationList() to create CRLs, and load them with x509.LoadCRLFromPEM().

Note that this package only cares about the Common Name for certificates etc., as it's intended for internal use and not to generate certificates/signing requests for a public CA.

Signing a client certificate

// Continuing from the above example, we generate the key and cert for a client.
// The key will be 4096 bits.
crt, key, err := certcut.GetSignedCert(cacert, cakey, "Staff")
if err != nil {
	return err
}

If you want more control over the process, for example to store the signing request, you can use NewCSR() to generate a CSR, and then NewClientCert() to sign it.

gRPC

There's a convenience function for the grpc package to load both the CA cert and the client cert at once into a TLS config:

creds, err := certcut.NewClientTLSFromFiles("server.crt", "client.crt", "client.key")
...
conn, err := grpc.Dial(address, grpc.WithTransportCredentials(creds))

It's a drop-in replacement for gRPC's NewClientTLSFromFile().

Documentation ¶

Index ¶

func CSRPEM(b []byte) []byte
func CertPEM(b []byte) []byte
func GetSignedCert(ca *x509.Certificate, cakey *rsa.PrivateKey, name string) (*x509.Certificate, *rsa.PrivateKey, error)
func HashSubjectKeyID(key *rsa.PublicKey) ([]byte, error)
func LoadCSRFromPEM(path string) (*x509.CertificateRequest, error)
func LoadCertFromPEM(path string) (*x509.Certificate, error)
func LoadPrivateKeyFromPEM(path string) (*rsa.PrivateKey, error)
func LoadPublicKeyFromPEM(path string) (any, error)
func NewCA(key *rsa.PrivateKey, cn string) ([]byte, error)
func NewCAFromTemplate(key *rsa.PrivateKey, tpl *x509.Certificate) ([]byte, error)
func NewCSR(key *rsa.PrivateKey, cn string) ([]byte, error)
func NewClientCert(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, cn string, ...) ([]byte, error)
func NewClientCertFromTemplate(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, tpl *x509.Certificate, ...) ([]byte, error)
func NewClientTLSFromFiles(servercert, clientcert, clientkey string) (credentials.TransportCredentials, error)
func NewKey(bits int) (*rsa.PrivateKey, error)
func NewRootCert(cn string, bits int) (*x509.Certificate, *rsa.PrivateKey, error)
func NewSerial() (*big.Int, error)
func NewTemplate() *x509.Certificate
func PrivateKeyPEM(key *rsa.PrivateKey) []byte
func PublicKeyPEM(key *rsa.PublicKey) ([]byte, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CSRPEM ¶

func CSRPEM(b []byte) []byte

CSRPEM converts a certificate signing request to PEM format.

func CertPEM ¶

func CertPEM(b []byte) []byte

CertPEM converts a certificate to PEM format.

func GetSignedCert ¶ added in v0.5.0

func GetSignedCert(ca *x509.Certificate, cakey *rsa.PrivateKey, name string) (*x509.Certificate, *rsa.PrivateKey, error)

GetSignedCert returns a signed client certificate and key signed by the provided CA. It creates a CSR and discards it after use. The returned key is 4096 bits.

func HashSubjectKeyID ¶

func HashSubjectKeyID(key *rsa.PublicKey) ([]byte, error)

HashSubjectKeyID returns the hash for a public key.

func LoadCSRFromPEM ¶

func LoadCSRFromPEM(path string) (*x509.CertificateRequest, error)

LoadCSRFromPEM returns an x509 CertificateRequest.

func LoadCertFromPEM ¶

func LoadCertFromPEM(path string) (*x509.Certificate, error)

LoadCertFromPEM returns the raw bytes of a certificate.

func LoadPrivateKeyFromPEM ¶

func LoadPrivateKeyFromPEM(path string) (*rsa.PrivateKey, error)

LoadPrivateKeyFromPEM returns a parsed private key structure.

func LoadPublicKeyFromPEM ¶

func LoadPublicKeyFromPEM(path string) (any, error)

LoadPublicKeyFromPEM returns a parsed private key structure.

func NewCA ¶

func NewCA(key *rsa.PrivateKey, cn string) ([]byte, error)

NewCA creates a new certificate authority which further client certificates can be generated with. The NotAfter date is set to 10 years from now.

func NewCAFromTemplate ¶ added in v0.6.0

func NewCAFromTemplate(key *rsa.PrivateKey, tpl *x509.Certificate) ([]byte, error)

NewCAFromTemplate creates a new certificate authority from a template for more control. The minimum field required is CommonName. A serial number will be generated, and empty dates will be filled in with the same defaults as NewCA. Empty KeyUsage fields will be filled in with x509.KeyUsageCertSign | x509.KeyUsageCRLSign.

func NewCSR ¶

func NewCSR(key *rsa.PrivateKey, cn string) ([]byte, error)

NewCSR creates a new certificate signing request.

func NewClientCert ¶

func NewClientCert(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, cn string, ca *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)

NewClientCert makes certificates for client authentication.

func NewClientCertFromTemplate ¶ added in v0.6.0

func NewClientCertFromTemplate(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, tpl *x509.Certificate, ca *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)

NewClientCertFromTemplate makes certificates for client authentication from a template for more control. The minimum field required is CommonName. MaxPathLenZero is set to false to indicate it's a client certificate. A serial number will be generated, and empty dates will be filled in with the same defaults as NewClientCert.

func NewClientTLSFromFiles ¶ added in v0.3.0

func NewClientTLSFromFiles(servercert, clientcert, clientkey string) (credentials.TransportCredentials, error)

NewClientTLSFromFiles is an improved version of gRPC's NewClientTLSFromFile which also loads the root certificate for the certificate authority so that connections actually work with verification.

func NewKey ¶

func NewKey(bits int) (*rsa.PrivateKey, error)

NewKey creates a new RSA key for certificate generation and signing.

func NewRootCert ¶ added in v0.5.0

func NewRootCert(cn string, bits int) (*x509.Certificate, *rsa.PrivateKey, error)

NewRootCert creates a root certificate and its key in one function.

func NewSerial ¶

func NewSerial() (*big.Int, error)

NewSerial generates a random BigInt.

func NewTemplate ¶

func NewTemplate() *x509.Certificate

NewTemplate for server and client certificates.

func PrivateKeyPEM ¶

func PrivateKeyPEM(key *rsa.PrivateKey) []byte

PrivateKeyPEM converts a private key to PEM format.

func PublicKeyPEM ¶

func PublicKeyPEM(key *rsa.PublicKey) ([]byte, error)

PublicKeyPEM converts a public key to PEM format.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL