A service for managing public key infrastructures via a REST-full interface.
- Manage multiple root CA's
- Create signed sub-CA's
- Create signed server certificates
- Create signed client certificates
- RSA or ECC Keys
- Revoke Sub-CA's, clients or servers
- Automatically create CRL's
- Choosable storage layers
- leveldb
- raw filesystem
- more comming soon...
- can be build completely static -> no deps to openssl etc.
- should run on Linux, Mac and Windows
> go get github.com/trusch/pkid
> pkid --storage leveldb:///usr/share/pkid --listen 0.0.0.0:80These endpoints are used to create keys and issue certificates.
Options for all following endpoints are:
name: string (required)curve: string (optional, default: P521)- valid values: P521, P384, P256, P224
rsaBits: int (optional)- valid values: 4096, 2048, 1024
notBefore: int (optional, secs since epoche, defaults to current time)validFor: string (optional, example: 12h30m, defaults to 8760h (-> 1 Year))
- Request:
POST /ca?name=my-ca-name - Response: {uuid}
- Request:
POST /ca/{root-uuid}/ca?name=my-sub-ca - Response: {uuid}
- Request:
POST /ca/{root-uuid}/client?name=my-client - Response: {uuid}
- Request:
POST /ca/{root-uuid}/server?name=my-server - Response: {uuid}
These endpoints are used to retrieve generated certificates and keys
- Request:
GET /ca/{root-uuid}/cert - Response: {pem certificate data}
- Request:
GET /ca/{root-uuid}/key - Response: {pem key data}
- Request:
GET /ca/{root-uuid}/client/{uuid}/cert - Response: {pem certificate data}
- Request:
GET /ca/{root-uuid}/client/{uuid}/key - Response: {pem key data}
These endpoints can be used to revoke certificates and get the resulting CRL.
- Request:
POST /ca/{root-uuid}/ca/{uuid}/revoke - Response: "revoked"
- Request:
POST /ca/{root-uuid}/server/{uuid}/revoke - Response: "revoked"
- Request:
POST /ca/{root-uuid}/client/{uuid}/revoke - Response: "revoked"
- Request:
GET /ca/{root-uuid}/crl - Response: {pem crl data}
These endpoints can be used to gather information about a specific CA
- Request:
GET /ca/{root-uuid} - Response:
{
"Entity": {
"ID": "{uuid}",
"Name": "my-ca",
"IsRevoked": false,
},
"Revoked": [2,5,6],
"CAs": {
"{uuid}": "my-sub-ca"
},
"Clients": {
"{uuid}": "my-client"
},
"Servers": {
"{uuid}": "my-server"
}
}- Request:
GET /ca/{root-uuid}/ca - Response:
{
"{uuid}": "my-sub-ca"
}- Request:
GET /ca/{root-uuid}/client - Response:
{
"{uuid}": "my-client"
}- Request:
GET /ca/{root-uuid}/server - Response:
{
"{uuid}": "my-server"
}