Skip to content

Commit

Permalink
Merge pull request #57 from karimra/rotate-dns-name
Browse files Browse the repository at this point in the history
add DNS name to CSR during rotation
  • Loading branch information
karimra authored May 18, 2023
2 parents a1b6b12 + 871bebb commit c0f4b8a
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 29 deletions.
34 changes: 18 additions & 16 deletions app/certInstall.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func (a *App) InitCertInstallFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&a.Config.CertInstallCertificateID, "id", "", "Certificate ID")
cmd.Flags().StringVar(&a.Config.CertInstallKeyType, "key-type", "KT_RSA", "Key Type")
cmd.Flags().StringVar(&a.Config.CertInstallCertificateType, "cert-type", "CT_X509", "Certificate Type")
cmd.Flags().Uint32Var(&a.Config.CertInstallMinKeySize, "min-key-size", 1024, "Minimum Key Size")
cmd.Flags().Uint32Var(&a.Config.CertInstallMinKeySize, "min-key-size", 2048, "Minimum Key Size")
cmd.Flags().StringVar(&a.Config.CertInstallCommonName, "common-name", "", "CSR common name")
cmd.Flags().StringVar(&a.Config.CertInstallCountry, "country", "", "CSR country")
cmd.Flags().StringVar(&a.Config.CertInstallState, "state", "", "CSR state")
Expand Down Expand Up @@ -137,7 +137,6 @@ func (a *App) CertInstall(ctx context.Context, t *api.Target) error {
a.Config.CertInstallGenCSR = true
}
}

keyPair := new(cert.KeyPair)
var creq *x509.CertificateRequest

Expand Down Expand Up @@ -176,7 +175,7 @@ func (a *App) CertInstall(ctx context.Context, t *api.Target) error {
return err
}
a.Logger.Debugf("%q signed certificate:\n%s\n", t.Config.Address, sCertText)
// encode signed certifcate in PEM format
// encode signed certificate in PEM format
b, err := toPEM(signedCert)
if err != nil {
return fmt.Errorf("%q failed to encode as PEM: %v", t.Config.Address, err)
Expand Down Expand Up @@ -302,21 +301,24 @@ func (a *App) createRemoteCSRInstall(stream cert.CertificateManagement_InstallCl
if ipAddr == "" {
ipAddr = t.Config.ResolvedIP
}
csrParamsOpts := []gcert.CertOption{
gcert.CertificateType(a.Config.CertInstallCertificateType),
gcert.MinKeySize(a.Config.CertInstallMinKeySize),
gcert.KeyType(a.Config.CertInstallKeyType),
gcert.CommonName(commonName),
gcert.Country(a.Config.CertInstallCountry),
gcert.State(a.Config.CertInstallState),
gcert.City(a.Config.CertInstallCity),
gcert.Org(a.Config.CertInstallOrg),
gcert.OrgUnit(a.Config.CertInstallOrgUnit),
gcert.IPAddress(ipAddr),
}
if a.Config.CertInstallEmailID != "" {
csrParamsOpts = append(csrParamsOpts, gcert.EmailID(a.Config.CertInstallEmailID))
}
req, err := gcert.NewCertInstallGenerateCSRRequest(
gcert.CertificateID(a.Config.CertInstallCertificateID),
gcert.CSRParams(
gcert.CertificateType(a.Config.CertInstallCertificateType),
gcert.MinKeySize(a.Config.CertInstallMinKeySize),
gcert.KeyType(a.Config.CertInstallKeyType),
gcert.CommonName(commonName),
gcert.Country(a.Config.CertInstallCountry),
gcert.State(a.Config.CertInstallState),
gcert.City(a.Config.CertInstallCity),
gcert.Org(a.Config.CertInstallOrg),
gcert.OrgUnit(a.Config.CertInstallOrgUnit),
gcert.IPAddress(ipAddr),
gcert.EmailID(a.Config.CertInstallEmailID),
),
gcert.CSRParams(csrParamsOpts...),
)
if err != nil {
return nil, err
Expand Down
38 changes: 25 additions & 13 deletions app/certRotate.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ func (a *App) RunECertRotate(cmd *cobra.Command, args []string) error {
ctx, cancel := context.WithCancel(a.ctx)
defer cancel()
ctx = metadata.AppendToOutgoingContext(ctx, "username", *t.Config.Username, "password", *t.Config.Password)

err = t.CreateGrpcClient(ctx, a.createBaseDialOpts()...)
if err != nil {
responseChan <- &TargetError{
Expand Down Expand Up @@ -133,6 +134,7 @@ func (a *App) CertRotate(ctx context.Context, t *api.Target) error {
a.Config.CertRotateGenCSR = true
}
}

keyPair := new(cert.KeyPair)
var creq *x509.CertificateRequest

Expand Down Expand Up @@ -163,6 +165,11 @@ func (a *App) CertRotate(ctx context.Context, t *api.Target) error {
if err != nil {
return fmt.Errorf("failed signing certificate: %v", err)
}
sCertText, err := CertificateText(signedCert, false)
if err != nil {
return err
}
a.Logger.Debugf("%q signed certificate:\n%s\n", t.Config.Address, sCertText)
b, err := toPEM(signedCert)
if err != nil {
return fmt.Errorf("failed toPEM: %v", err)
Expand Down Expand Up @@ -267,6 +274,7 @@ func (a *App) createLocalCSRRotate(t *api.Target) (*cert.KeyPair, *x509.Certific
EmailAddresses: []string{a.Config.CertRotateEmailID},
SignatureAlgorithm: x509.SHA256WithRSA,
IPAddresses: make([]net.IP, 0),
DNSNames: []string{commonName},
}

if ipAddrs != nil {
Expand Down Expand Up @@ -300,21 +308,25 @@ func (a *App) createRemoteCSRRotate(stream cert.CertificateManagement_RotateClie
if ipAddr == "" {
ipAddr = t.Config.ResolvedIP
}
csrParamsOpts := []gcert.CertOption{
gcert.CertificateType(a.Config.CertRotateCertificateType),
gcert.MinKeySize(a.Config.CertRotateMinKeySize),
gcert.KeyType(a.Config.CertRotateKeyType),
gcert.CommonName(commonName),
gcert.Country(a.Config.CertRotateCountry),
gcert.State(a.Config.CertRotateState),
gcert.City(a.Config.CertRotateCity),
gcert.Org(a.Config.CertRotateOrg),
gcert.OrgUnit(a.Config.CertRotateOrgUnit),
gcert.IPAddress(ipAddr),
}
if a.Config.CertRotateEmailID != "" {
csrParamsOpts = append(csrParamsOpts, gcert.EmailID(a.Config.CertRotateEmailID))
}

req, err := gcert.NewCertRotateGenerateCSRRequest(
gcert.CertificateID(a.Config.CertRotateCertificateID),
gcert.CSRParams(
gcert.CertificateType(a.Config.CertRotateCertificateType),
gcert.MinKeySize(a.Config.CertRotateMinKeySize),
gcert.KeyType(a.Config.CertRotateKeyType),
gcert.CommonName(commonName),
gcert.Country(a.Config.CertRotateCountry),
gcert.State(a.Config.CertRotateState),
gcert.City(a.Config.CertRotateCity),
gcert.Org(a.Config.CertRotateOrg),
gcert.OrgUnit(a.Config.CertRotateOrgUnit),
gcert.IPAddress(ipAddr),
gcert.EmailID(a.Config.CertRotateEmailID),
),
gcert.CSRParams(csrParamsOpts...),
)
if err != nil {
return nil, err
Expand Down

0 comments on commit c0f4b8a

Please sign in to comment.