mtls

package
v0.0.0-...-889f6eb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Command = &cli.Command{
	Name:        "mTLS",
	Aliases:     []string{"t"},
	Usage:       "Create certificates needed for mTLS (mutual TLS)",
	Description: "Generates a complete mTLS certificate bundle for secure client-server authentication (wss://) over untrusted networks. This command creates a self-contained PKI with: a CA certificate (ca.crt), server certificate and key (server.crt, server.key) with serverAuth EKU, and client certificate and key (client.crt, client.key) with clientAuth EKU. The CA private key is NOT persisted, ensuring no additional certificates can be issued later. To rotate certificates, regenerate the entire bundle. For trusted networks or VPNs, plain WebSocket (ws://) without TLS is acceptable.",
	Flags: []cli.Flag{
		&cli.StringFlag{
			Name:     "output",
			Aliases:  []string{"o"},
			Usage:    "Output directory for certificates (default: current directory)",
			Value:    ".",
			OnlyOnce: true,
		},
	},
	Action: func(ctx context.Context, cmd *cli.Command) (err error) {
		refTime := time.Now()

		caDER, caPriv, err := protocol.GenerateCA(refTime)
		if err != nil {
			err = fmt.Errorf("failed to generate CA certificate/key pair: %w", err)
			return
		}

		serverDER, serverPriv, err := protocol.GenerateServer(refTime, caDER, caPriv)
		if err != nil {
			err = fmt.Errorf("failed to generate server certificate/key pair: %w", err)
			return
		}

		clientDER, clientPriv, err := protocol.GenerateClient(refTime, caDER, caPriv)
		if err != nil {
			err = fmt.Errorf("failed to generate client certificate/key pair: %w", err)
			return
		}

		outDir := cmd.String("output")
		if err = os.MkdirAll(outDir, 0755); err != nil {
			err = fmt.Errorf("failed to create output directory %q: %w", outDir, err)
			return
		}
		fmt.Println("mTLS certificates successfully generated:")
		var path string
		{

			if path, err = writeCertificate(outDir, "ca", caDER); err != nil {
				err = fmt.Errorf("failed to write CA certificate: %w", err)
				return
			}
			fmt.Printf("\t    CA certificate: %s\n", path)

		}
		{

			if path, err = writeCertificate(outDir, "server", serverDER); err != nil {
				err = fmt.Errorf("failed to write server certificate: %w", err)
				return
			}
			fmt.Printf("\tServer certificate: %s\n", path)

			if path, err = writePrivateKey(outDir, "server", serverPriv); err != nil {
				err = fmt.Errorf("failed to write server private key: %w", err)
				return
			}
			fmt.Printf("\tServer private key: %s\n", path)
		}
		{

			if path, err = writeCertificate(outDir, "client", clientDER); err != nil {
				err = fmt.Errorf("failed to write client certificate: %w", err)
				return
			}
			fmt.Printf("\tClient certificate: %s\n", path)

			if path, err = writePrivateKey(outDir, "client", clientPriv); err != nil {
				err = fmt.Errorf("failed to write client private key: %w", err)
				return
			}
			fmt.Printf("\tClient private key: %s\n", path)
		}
		return nil
	},
}

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.