GitHub - johanbrandhorst/certify: Automatic client and server certificate distri...
source link: https://github.com/johanbrandhorst/certify
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Certify
Certify allows easy automatic certificate distribution and maintenance.
Certificates are requested as TLS connections
are made, courtesy of the GetCertificate
and GetClientCertificate
tls.Config
hooks. Certificates are optionally cached. Simultaneous requests
are deduplicated to minimize pressure on issuers.
Issuers
Certify exposes an Issuer
interface which is used to allow switching
between issuer backends.
Currently implemented issuers:
- Vault PKI Secrets Engine
- Cloudflare CFSSL Certificate Authority
- AWS Certificate Manager Private Certificate Authority
Usage
Create an issuer:
issuer := &vault.Issuer{ URL: &url.URL{ Scheme: "https", Host: "my-local-vault-instance.com", }, Token: "myVaultToken", Role: "myVaultRole", }
Create a Certify:
c := &certify.Certify{ // Used when request client-side certificates and // added to SANs or IPSANs depending on format. CommonName: "MyServer.com", Issuer: issuer, // It is recommended to use a cache. Cache: certify.NewMemCache(), // It is recommended to set RenewBefore. // Refresh cached certificates when < 24H left before expiry. RenewBefore: 24*time.Hour, }
Use in your TLS Config:
tlsConfig := &tls.Config{ GetCertificate: c.GetCertificate, }
That's it! Both server-side and client-side certificates can be generated:
tlsConfig := &tls.Config{ GetClientCertificate: c.GetClientCertificate, }
For an end-to-end example using gRPC with mutual TLS authentication, see the Vault tests.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK