Skip to content

Latest commit

 

History

History
128 lines (93 loc) · 4.07 KB

README.md

File metadata and controls

128 lines (93 loc) · 4.07 KB
Raw

Certificate Generation

This library offers lambda expressions that are able to maintain and update certificates and keys.

The package name is utilities.certs. Required packages:

The offered functions work together with the state library and therefore support the update feature if the state mechanism is used in the spiff usage scenario. Nevertheless the functions can also be used without the state support. In this case they just generate new keys and certificates for every run.

It is based on the x509 functions offered by spiff.

The generated values can be found under the value sub-node according to the rules of the state package. The second result field is input containing the completed certificate/secret specification. The update parameter can be set to true is an update should be enforced. This feature only works when using the functions in a stateful scenario.

Generate a self signed Certificate for dedicated common name

    selfSignedCA(<common name>, <update>=false, <relpath>=[], relindex=0) -> state

The value field provides the fields:

  • key holding the private key
  • pub holding the public key
  • cert holding the certificate for the CA.

Generate a Key/Certificate Pair

    keyCertForCA(<certspec>, <ca>, <update>=false, <relpath>=[], relindex=0) -> state

the certificate specification uses the format for the function x509cert, but without the key and ca related fields. They are implicity adden by the given ca and the generated key. The ca is given just by using a reference to a field set by the selfSignedCA function.

The value field provides the fields:

  • key holding the private key
  • pub holding the public key
  • cert holding the certificate signed by the CA

Generate a Certificate with an explicitly managed Specification

    keyCert(<certspec>, <update>=false, <relpath>=[], relindex=0) -> state

the certificate specification uses the format for the function x509cert. It justed adds the state support to the bare spiff function.

The value field provides the fields:

  • key holding the private key
  • pub holding the public key
  • cert holding the certificate

Generate an SSH Key Pair

    sshKey(<length>=2048, <update>=false, <relpath>=[], relindex=0)  -> state

The value field provides the fields:

  • key holding the private key
  • pub holding the public key in ssh format

Generate a Random Secret with a dedicated Length

    secret(<default>, <length>, <update>=false, <relpath>=[], relindex=0)  -> string

If no default (~) is given a random string consisting of alphanumeric character of given length is generated.

The value field directly contains the secret value.

Generate a Wireguard Key Pair

    wireguardKey(<update>=false, <relpath>=[], relindex=0)  -> state

The value field provides the fields:

  • key holding the private key
  • pub holding the public key

Tweaking the state access

By default the old state is always accessed using the stub() function to access the same field containing the state lambda in the stub which is typically the state yaml. This is handled in the state library. But this only works correctly if the state expression directly generates the state fields.

The optional relpath parameter can be used to adjust the stub access (for accessing old state) in case of generating multiple state instances with map/sum generating implicit intermediate sub structures between the field containing the lambda expression and the generated state field.

for example, when generating wireguard keys for a dynamic set of names:

names:
  - alice
  - bob
state:
  <<: (( &state(merge none) ))
  wireguard: (( map{names|m|-> utilities.certs.wireguardKey(false, [m])} ))

The optional relindex parameter is used together with the relpath parameter. It specifies the relative location (from the end) where the relative path should be inserted into the path.