forked from cloudflare/cfssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gencert.go
165 lines (140 loc) · 4.22 KB
/
gencert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
// Package gencert implements the gencert command.
package gencert
import (
"encoding/json"
"errors"
"github.com/cloudflare/cfssl/api/generator"
"github.com/cloudflare/cfssl/cli"
"github.com/cloudflare/cfssl/cli/genkey"
"github.com/cloudflare/cfssl/cli/sign"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/initca"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/signer"
)
var gencertUsageText = `cfssl gencert -- generate a new key and signed certificate
Usage of gencert:
Generate a new key and cert from CSR:
cfssl gencert -initca CSRJSON
cfssl gencert -ca cert -ca-key key [-config config] [-profile profile] [-hostname hostname] CSRJSON
cfssl gencert -remote remote_host [-config config] [-profile profile] [-label label] [-hostname hostname] CSRJSON
Re-generate a CA cert with the CA key and CSR:
cfssl gencert -initca -ca-key key CSRJSON
Re-generate a CA cert with the CA key and certificate:
cfssl gencert -renewca -ca cert -ca-key key
Arguments:
CSRJSON: JSON file containing the request, use '-' for reading JSON from stdin
Flags:
`
var gencertFlags = []string{"initca", "remote", "ca", "ca-key", "config", "hostname", "profile", "label"}
func gencertMain(args []string, c cli.Config) error {
if c.RenewCA {
log.Infof("re-generate a CA certificate from CA cert and key")
cert, err := initca.RenewFromPEM(c.CAFile, c.CAKeyFile)
if err != nil {
log.Errorf("%v\n", err)
return err
}
cli.PrintCert(nil, nil, cert)
return nil
}
csrJSONFile, args, err := cli.PopFirstArgument(args)
if err != nil {
return err
}
if len(args) > 0 {
return errors.New("only one argument is accepted, please check with usage")
}
csrJSONFileBytes, err := cli.ReadStdin(csrJSONFile)
if err != nil {
return err
}
req := csr.CertificateRequest{
KeyRequest: csr.NewBasicKeyRequest(),
}
err = json.Unmarshal(csrJSONFileBytes, &req)
if err != nil {
return err
}
if c.CNOverride != "" {
req.CN = c.CNOverride
}
switch {
case c.IsCA:
var key, csrPEM, cert []byte
if c.CAKeyFile != "" {
log.Infof("re-generate a CA certificate from CSR and CA key")
cert, csrPEM, err = initca.NewFromPEM(&req, c.CAKeyFile)
if err != nil {
log.Errorf("%v\n", err)
return err
}
} else {
log.Infof("generating a new CA key and certificate from CSR")
cert, csrPEM, key, err = initca.New(&req)
if err != nil {
return err
}
}
cli.PrintCert(key, csrPEM, cert)
default:
if req.CA != nil {
err = errors.New("ca section only permitted in initca")
return err
}
if c.Hostname != "" {
req.Hosts = signer.SplitHosts(c.Hostname)
}
// Remote can be forced on the command line or in the config
if c.Remote == "" && c.CFG == nil {
if c.CAFile == "" {
log.Error("need a CA certificate (provide one with -ca)")
return nil
}
if c.CAKeyFile == "" {
log.Error("need a CA key (provide one with -ca-key)")
return nil
}
}
var key, csrBytes []byte
g := &csr.Generator{Validator: genkey.Validator}
csrBytes, key, err = g.ProcessRequest(&req)
if err != nil {
key = nil
return err
}
s, err := sign.SignerFromConfig(c)
if err != nil {
return err
}
var cert []byte
signReq := signer.SignRequest{
Request: string(csrBytes),
Hosts: signer.SplitHosts(c.Hostname),
Profile: c.Profile,
Label: c.Label,
}
if c.CRL != "" {
signReq.CRLOverride = c.CRL
}
cert, err = s.Sign(signReq)
if err != nil {
return err
}
// This follows the Baseline Requirements for the Issuance and
// Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser
// Forum (https://cabforum.org). Specifically, section 10.2.3 ("Information
// Requirements"), states:
//
// "Applicant information MUST include, but not be limited to, at least one
// Fully-Qualified Domain Name or IP address to be included in the Certificate’s
// SubjectAltName extension."
if len(signReq.Hosts) == 0 && len(req.Hosts) == 0 {
log.Warning(generator.CSRNoHostMessage)
}
cli.PrintCert(key, csrBytes, cert)
}
return nil
}
// Command assembles the definition of Command 'gencert'
var Command = &cli.Command{UsageText: gencertUsageText, Flags: gencertFlags, Main: gencertMain}