Created
July 30, 2019 04:24
-
-
Save svicknesh/71b426a60f8b93db7325620e8cb7fd7a to your computer and use it in GitHub Desktop.
Revisions
-
svicknesh created this gist
Jul 30, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,77 @@ // // createCertificateAuthority generates a certificate authority request ready to be signed // func (r *secretStore) createCertificateAuthority(names pkix.Name, expiration time.Duration, size int) (*caCertificate, error) { // step: generate a keypair keys, err := rsa.GenerateKey(rand.Reader, size) if err != nil { return nil, fmt.Errorf("unable to genarate private keys, error: %s", err) } val, err := asn1.Marshal(basicConstraints{true, 0}) if err != nil { return nil, err } // step: generate a csr template var csrTemplate = x509.CertificateRequest{ Subject: names, SignatureAlgorithm: x509.SHA512WithRSA, ExtraExtensions: []pkix.Extension{ { Id: asn1.ObjectIdentifier{2, 5, 29, 19}, Value: val, Critical: true, }, }, } // step: generate the csr request csrCertificate, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, keys) if err != nil { return nil, err } csr := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csrCertificate, }) // step: generate a serial number serial, err := rand.Int(rand.Reader, (&big.Int{}).Exp(big.NewInt(2), big.NewInt(159), nil)) if err != nil { return nil, err } now := time.Now() // step: create the request template template := x509.Certificate{ SerialNumber: serial, Subject: names, NotBefore: now.Add(-10 * time.Minute).UTC(), NotAfter: now.Add(expiration).UTC(), BasicConstraintsValid: true, IsCA: true, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } // step: sign the certificate authority certificate, err := x509.CreateCertificate(rand.Reader, &template, &template, &keys.PublicKey, keys) if err != nil { return nil, fmt.Errorf("failed to generate certificate, error: %s", err) } var request bytes.Buffer var privateKey bytes.Buffer if err := pem.Encode(&request, &pem.Block{Type: "CERTIFICATE", Bytes: certificate}); err != nil { return nil, err } if err := pem.Encode(&privateKey, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(keys)}); err != nil { return nil, err } return &caCertificate{ privateKey: privateKey.String(), publicKey: request.String(), csr: string(csr), }, nil }