Certs - Add intermediate CA, CA rotation and CRL#17
Conversation
| // The certificate is then stored in the repository using the CreateCert method. | ||
| // If the root CA is not found, it returns an error. | ||
| func (s *service) IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string) (string, error) { | ||
| func (s *service) IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, options SubjectOptions) (string, error) { |
There was a problem hiding this comment.
When issuing a certifcate ideally, the user would pass a CSR and this would be with CA to create the certificate. Also in which cases do you use root ca and in which do you use intermediate, ideally, intermediate CAs would be used to distinguish orgnaizations/ workspaces
There was a problem hiding this comment.
I can add the CSR feature for the user when issuing certs. I can search on how it needs to be implemented.
There was a problem hiding this comment.
From how I understood it the root CA are generally not used to sign the users certificated directly. So intermediate certs are normally used signed with root CA then they are used to issue client certificates.
There was a problem hiding this comment.
Let's keep intermediate cert instead of root CA. @SammyOina Please re-review with this in mind, and @nyagamunene you can send another PR for CSR.
| newRootCA, err := s.generateRootCA(ctx) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| s.rootCA = newRootCA | ||
| newIntermediateCA, err := s.createIntermediateCA(ctx, newRootCA) | ||
| if err != nil { |
There was a problem hiding this comment.
how long does it take intermediate ca to expire compared to root ca
There was a problem hiding this comment.
As implemented right now they take the same time.
There was a problem hiding this comment.
root should be long lasting than intermediate
There was a problem hiding this comment.
Okay then let me implement that.
8b93d43 to
2364a43
Compare
| revoked BOOLEAN, | ||
| expiry_time TIMESTAMP, | ||
| entity_id VARCHAR(36), | ||
| type INT, |
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
2364a43 to
554a554
Compare
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
What type of PR is this?
This is a feature because it adds the following functionality: it adds intermediate CA, CA rotation and CRL.
What does this do?
It adds intermediate CA, CA rotation and CRL for improvement of the PKI.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Yes
Did you document any new/modified features?
No
Notes