This library contains a simple client interface for:
- Generating auth tokens
- Creating Certificate Authorities and Intermediate Certificate Authorities
- Creating In Memory Key/Cert pairs
- Generating a tls.Config used for all mTLS HTTPS client/server configs
The config for the client library is driven by eith ENV variable or a configuration file stored at /etc/simplepki.yml, /etc/simplepki.yaml, or $HOME/.simplepki.
The global variables are needed for all client operations.
Account to generate certificate authorities, intermediate authorities, and certificates under.
Endpoint serving the SimplePKI API/Lambdas
JWT Token that providers authorization for a specified account to generate certificate authorities, intermediate authorities, and certificates.
Name of the certificate authority to create.
Name of the certificate authority to sign the intermediate authority.
Name of the intermediate authority to create.
Name of the desired chain to sign the certificate with. For example, say a certificate authority *ImACA* exists as does an intermediate authority *ImAInter* and we wish to have the certificate *ImACert* signed by the chain formed by the two mentioned authorities. This value would then be `ImaCA/ImACert`.
Name/ID to include in the certificates identifying URI. From the chain example above; this value would be `ImACert`.
Subject Alternative Names to be added to the certificate.
Resource to use to generation auth tokens. Currently only supports calling AWS Lambda by ARN.
Glob matching string that delegates which chains/certificate can be generated. For instance:
- A prefix _*_ will allow any certificate authority, intermediate authority, and certificate to be generated for a given account.
- A prefix _thisca/*_ will allow for any intermediate authority and certificate to be sign by/created from the CA chain with the root certificate authority _thisca_.
- A prefic _thisca/thisinter/*_ will allow for any futher intermediate authority or certificate to be created from the chain
Time-to-live in hours for the generated token.
As of now, token generation is done by directly running a Lambda. This allows for IAM permissions to be used and greatly simplifies this piece.
The client will look for a configuration file in the paths /etc/simplepki.*, $HOME/.simplepki, ~/simplepki.* and can be written in JSON, YAML, INI, or as an ENV file as described by viper.
All config file variables are identical to those above but without the SIMPLEPKI_ prefix.
account: "account name as a string value"
endpoint: "endpoint url as a string value"
token: "token as a string value"certificate_authority: "name certificate authority to create as a string"certificate_authority: "name of certificate authority as a string"
intermediate_certificate_authority: "name of intermediate authority to create as a string"chain: "full path (rootCA/interCA/interCA...) of the chain to sign the cert with as a string"
id: "id of service/client generating the certificate as a string"
subj_alt_names: "a space separated list of SANs values as a string" # "localhost 127.0.0.1 example.com"