-
Notifications
You must be signed in to change notification settings - Fork 18
/
gencerts.go
106 lines (92 loc) · 2.59 KB
/
gencerts.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package main
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/sha1"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"io/ioutil"
"math/big"
"os"
"path/filepath"
"time"
)
var (
// The "never expires" timestamp from RFC5280. Probably not a good
// idea in practice.
neverExpires = time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC)
)
func main() {
if len(os.Args) < 2 {
fmt.Fprintln(os.Stderr, "usage: gencerts NAME1 [NAME2...]")
os.Exit(1)
}
caKey := generateRSAKey()
caCert := createRootCertificate(caKey, &x509.Certificate{
SerialNumber: big.NewInt(1),
BasicConstraintsValid: true,
IsCA: true,
NotAfter: neverExpires,
Subject: pkix.Name{CommonName: "agent CA"},
})
writeCerts(filepath.Join("docker", "spire-server", "conf", "agent-cacert.pem"), caCert)
for _, name := range os.Args[1:] {
agentKey := generateRSAKey()
agentCert := createCertificate(agentKey, &x509.Certificate{
SerialNumber: big.NewInt(1),
KeyUsage: x509.KeyUsageDigitalSignature,
NotAfter: neverExpires,
Subject: pkix.Name{CommonName: fmt.Sprintf("%s agent", name)},
}, caKey, caCert)
dir := filepath.Join("docker", name, "conf")
writeKey(filepath.Join(dir, "agent.key.pem"), agentKey)
writeCerts(filepath.Join(dir, "agent.crt.pem"), agentCert)
fingerprint := sha1.Sum(agentCert.Raw)
fmt.Printf("%x %s\n", fingerprint, name)
}
}
func createRootCertificate(key *rsa.PrivateKey, tmpl *x509.Certificate) *x509.Certificate {
return createCertificate(key, tmpl, key, tmpl)
}
func createCertificate(key *rsa.PrivateKey, tmpl *x509.Certificate, parentKey *rsa.PrivateKey, parent *x509.Certificate) *x509.Certificate {
certDER, err := x509.CreateCertificate(rand.Reader, tmpl, parent, &key.PublicKey, parentKey)
checkErr(err)
cert, err := x509.ParseCertificate(certDER)
checkErr(err)
return cert
}
func generateRSAKey() *rsa.PrivateKey {
key, err := rsa.GenerateKey(rand.Reader, 768)
checkErr(err)
return key
}
func writeKey(path string, key interface{}) {
keyBytes, err := x509.MarshalPKCS8PrivateKey(key)
checkErr(err)
pemBytes := pem.EncodeToMemory(&pem.Block{
Type: "PRIVATE KEY",
Bytes: keyBytes,
})
err = ioutil.WriteFile(path, pemBytes, 0600)
checkErr(err)
}
func writeCerts(path string, certs ...*x509.Certificate) {
data := new(bytes.Buffer)
for _, cert := range certs {
err := pem.Encode(data, &pem.Block{
Type: "CERTIFICATE",
Bytes: cert.Raw,
})
checkErr(err)
}
err := ioutil.WriteFile(path, data.Bytes(), 0644)
checkErr(err)
}
func checkErr(err error) {
if err != nil {
panic(err)
}
}