git » debian:kxd » master » tree

[master] / kxgencert / kxgencert.go 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
// Utility to generate self-signed certificates.
// It generates a self-signed x509 certificate and key pair.
package main

import (
	crand "crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"flag"
	"fmt"
	"math/big"
	"net"
	"os"
	"strings"
	"time"
)

var (
	host = flag.String("host", "*",
		"Hostnames/IPs to generate the certificate for (comma separated)")
	validFor = flag.Duration("validfor", 24*time.Hour*365*10,
		"How long will the certificate be valid for (default: 10y)")
	orgName = flag.String("organization", "",
		"Organization to use in the certificate, useful for debugging")

	certPath = flag.String("cert", "cert.pem",
		"Where to write the generated certificate")
	keyPath = flag.String("key", "key.pem",
		"Where to write the generated key")
)

func fatalf(f string, a ...interface{}) {
	fmt.Printf(f, a...)
	os.Exit(1)
}

func main() {
	flag.Parse()

	// Build the certificate template.
	serial, err := crand.Int(crand.Reader, big.NewInt(1<<62))
	if err != nil {
		fatalf("Error generating serial number: %v\n", err)
	}
	tmpl := x509.Certificate{
		SerialNumber: serial,
		Subject:      pkix.Name{Organization: []string{*orgName}},

		NotBefore: time.Now(),
		NotAfter:  time.Now().Add(*validFor),

		KeyUsage: x509.KeyUsageKeyEncipherment |
			x509.KeyUsageDigitalSignature |
			x509.KeyUsageCertSign,
		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

		BasicConstraintsValid: true,
	}

	hosts := strings.Split(*host, ",")
	for _, h := range hosts {
		if ip := net.ParseIP(h); ip != nil {
			tmpl.IPAddresses = append(tmpl.IPAddresses, ip)
		} else {
			tmpl.DNSNames = append(tmpl.DNSNames, h)
		}
	}

	// Generate a private key (RSA 2048).
	privK, err := rsa.GenerateKey(crand.Reader, 2048)
	if err != nil {
		fatalf("Error generating key: %v\n", err)
	}

	// Write the certificate.
	{
		derBytes, err := x509.CreateCertificate(
			crand.Reader, &tmpl, &tmpl, &privK.PublicKey, privK)
		if err != nil {
			fatalf("Failed to create certificate: %v\n", err)
		}

		fullchain, err := os.Create(*certPath)
		if err != nil {
			fatalf("Failed to open %q: %v\n", *certPath, err)
		}
		pem.Encode(fullchain, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
		fullchain.Close()
	}

	// Write the private key.
	{
		privkey, err := os.Create(*keyPath)
		if err != nil {
			fatalf("failed to open %q: %v\n", *keyPath, err)
		}
		block := &pem.Block{Type: "RSA PRIVATE KEY",
			Bytes: x509.MarshalPKCS1PrivateKey(privK)}
		pem.Encode(privkey, block)
		privkey.Close()
	}
}