A service for managing public key infrastructures via a REST-full interface.
- Manage multiple root CA's
- Create signed sub-CA's
- Create signed server certificates
- Create signed client certificates
- RSA or ECC Keys
- Revoke Sub-CA's, clients or servers
- Automatically create CRL's
- Choosable storage layers
- leveldb
- raw filesystem
- more comming soon...
- can be build completely static -> no deps to openssl etc.
- should run on Linux, Mac and Windows
> go get github.com/trusch/pkid
> pkid --storage leveldb:///usr/share/pkid --listen 0.0.0.0:80
These endpoints are used to create keys and issue certificates.
Options for all following endpoints are:
name
: string (required)curve
: string (optional, default: P521)- valid values: P521, P384, P256, P224
rsaBits
: int (optional)- valid values: 4096, 2048, 1024
notBefore
: int (optional, secs since epoche, defaults to current time)validFor
: string (optional, example: 12h30m, defaults to 8760h (-> 1 Year))
- Request:
POST /ca?name=my-ca-name
- Response: {uuid}
- Request:
POST /ca/{root-uuid}/ca?name=my-sub-ca
- Response: {uuid}
- Request:
POST /ca/{root-uuid}/client?name=my-client
- Response: {uuid}
- Request:
POST /ca/{root-uuid}/server?name=my-server
- Response: {uuid}
These endpoints are used to retrieve generated certificates and keys
- Request:
GET /ca/{root-uuid}/cert
- Response: {pem certificate data}
- Request:
GET /ca/{root-uuid}/key
- Response: {pem key data}
- Request:
GET /ca/{root-uuid}/client/{uuid}/cert
- Response: {pem certificate data}
- Request:
GET /ca/{root-uuid}/client/{uuid}/key
- Response: {pem key data}
These endpoints can be used to revoke certificates and get the resulting CRL.
- Request:
POST /ca/{root-uuid}/ca/{uuid}/revoke
- Response: "revoked"
- Request:
POST /ca/{root-uuid}/server/{uuid}/revoke
- Response: "revoked"
- Request:
POST /ca/{root-uuid}/client/{uuid}/revoke
- Response: "revoked"
- Request:
GET /ca/{root-uuid}/crl
- Response: {pem crl data}
These endpoints can be used to gather information about a specific CA
- Request:
GET /ca/{root-uuid}
- Response:
{
"Entity": {
"ID": "{uuid}",
"Name": "my-ca",
"IsRevoked": false,
},
"Revoked": [2,5,6],
"CAs": {
"{uuid}": "my-sub-ca"
},
"Clients": {
"{uuid}": "my-client"
},
"Servers": {
"{uuid}": "my-server"
}
}
- Request:
GET /ca/{root-uuid}/ca
- Response:
{
"{uuid}": "my-sub-ca"
}
- Request:
GET /ca/{root-uuid}/client
- Response:
{
"{uuid}": "my-client"
}
- Request:
GET /ca/{root-uuid}/server
- Response:
{
"{uuid}": "my-server"
}