const (
// PrivateKeyBlockType is a possible value for pem.Block.Type.
PrivateKeyBlockType = "PRIVATE KEY"
// PublicKeyBlockType is a possible value for pem.Block.Type.
PublicKeyBlockType = "PUBLIC KEY"
// CertificateBlockType is a possible value for pem.Block.Type.
CertificateBlockType = "CERTIFICATE"
// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
)
NewPrivateKey returns a new private key.
var NewPrivateKey = GeneratePrivateKey
func CSROrKeyExist(csrDir, name string) bool
CSROrKeyExist returns true if one of the CSR or key exists
func CertOrKeyExist(pkiPath, name string) bool
CertOrKeyExist returns a boolean whether the cert or the key exists
func CertificateRequestFromFile(file string) (*x509.CertificateRequest, error)
CertificateRequestFromFile returns the CertificateRequest from a given PEM-encoded file. Returns an error if the file could not be read or if the CSR could not be parsed.
func EncodeCSRPEM(csr *x509.CertificateRequest) []byte
EncodeCSRPEM returns PEM-encoded CSR data
func EncodeCertBundlePEM(certs []*x509.Certificate) ([]byte, error)
EncodeCertBundlePEM returns PEM-endcoded certificate bundle
func EncodeCertPEM(cert *x509.Certificate) []byte
EncodeCertPEM returns PEM-endcoded certificate data
func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error)
EncodePublicKeyPEM returns PEM-encoded public data
func GeneratePrivateKey(keyType kubeadmapi.EncryptionAlgorithmType) (crypto.Signer, error)
GeneratePrivateKey is the default function for generating private keys.
func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)
GetAPIServerAltNames builds an AltNames object for to be used when generating apiserver certificate
func GetEtcdAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)
GetEtcdAltNames builds an AltNames object for generating the etcd server certificate. `advertise address` and localhost are included in the SAN since this is the interfaces the etcd static pod listens on. The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.ServerCertSANs`.
func GetEtcdPeerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)
GetEtcdPeerAltNames builds an AltNames object for generating the etcd peer certificate. Hostname and `API.AdvertiseAddress` are included if the user chooses to promote the single node etcd cluster into a multi-node one (stacked etcd). The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.PeerCertSANs`.
func HasServerAuth(cert *x509.Certificate) bool
HasServerAuth returns true if the given certificate is a ServerAuth
func NewCSR(cfg CertConfig, key crypto.Signer) (*x509.CertificateRequest, error)
NewCSR creates a new CSR
func NewCSRAndKey(config *CertConfig) (*x509.CertificateRequest, crypto.Signer, error)
NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate
func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)
NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key
func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error)
NewCertificateAuthority creates new certificate and private key for the certificate authority
func NewIntermediateCertificateAuthority(parentCert *x509.Certificate, parentKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)
NewIntermediateCertificateAuthority creates new certificate and private key for an intermediate certificate authority
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error)
NewSignedCert creates a signed certificate using the given CA certificate and key
func PathsForCertAndKey(pkiPath, name string) (string, string)
PathsForCertAndKey returns the paths for the certificate and key given the path and basename.
func RemoveDuplicateAltNames(altNames *certutil.AltNames)
RemoveDuplicateAltNames removes duplicate items in altNames.
func TryLoadCSRFromDisk(pkiPath, name string) (*x509.CertificateRequest, error)
TryLoadCSRFromDisk tries to load the CSR from the disk
func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error)
TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid
func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error)
TryLoadCertChainFromDisk tries to load the cert chain from the disk
func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error)
TryLoadCertFromDisk tries to load the cert from the disk
func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error)
TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid
func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (crypto.PrivateKey, crypto.PublicKey, error)
TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid
func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error
ValidateCertPeriod checks if the certificate is valid relative to the current time (+/- offset)
func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, root *x509.Certificate) error
VerifyCertChain verifies that a certificate has a valid chain of intermediate CAs back to the root CA
func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error
WriteCSR writes the pem-encoded CSR data to csrPath. The CSR file will be created with file mode 0600. If the CSR file already exists, it will be overwritten. The parent directory of the csrPath will be created as needed with file mode 0700.
func WriteCert(pkiPath, name string, cert *x509.Certificate) error
WriteCert stores the given certificate at the given location
func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error
WriteCertAndKey stores certificate and key at the specified location
func WriteCertBundle(pkiPath, name string, certs []*x509.Certificate) error
WriteCertBundle stores the given certificate bundle at the given location
func WriteKey(pkiPath, name string, key crypto.Signer) error
WriteKey stores the given key at the given location
func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error
WritePublicKey stores the given public key at the given location
CertConfig is a wrapper around certutil.Config extending it with EncryptionAlgorithm.
type CertConfig struct {
certutil.Config
NotAfter *time.Time
EncryptionAlgorithm kubeadmapi.EncryptionAlgorithmType
}