// CreateGenericCRL is a helper function that takes in all of the information above, and then calls the createCRL
// function. This outputs the bytes of the created CRL.
func CreateGenericCRL(certList []pkix.RevokedCertificate, key crypto.Signer, issuingCert *x509.Certificate, expiryTime time.Time) ([]byte, error) {
crlBytes, err := issuingCert.CreateCRL(rand.Reader, key, certList, time.Now(), expiryTime)
if err != nil {
log.Debug("error creating CRL: %s", err)
}
return crlBytes, err
}
// CreateCRL creates a signed X.509 certificate list for revoked certificates.
func (s *Signer) CreateCRL(cert *x509.Certificate, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) ([]byte, error) {
if cert == nil {
return nil, newError("Missing issuing certificate required to create CRL.")
}
return cert.CreateCRL(rand.Reader, s.ec, revokedCerts, now, expiry)
}
func (crtkit *CertKit) GenerateCA(subject pkix.Name, host, email string, listenport ...string) error {
var e error
var derBytes []byte
var crlurl string
// var ecBytes []byte
// priv, err := ecdsa.GenerateKey(elliptic.P521(),rand.Reader)
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return errors.New(fmt.Sprintf("failed to generate private key: %s", err))
}
notBefore := time.Now()
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return errors.New(fmt.Sprintf("failed to generate serial number: %s", err))
}
if host == "" {
host, _ = os.Hostname()
}
if len(listenport) == 0 {
crlurl = "http://" + host + "/rootCA.crl"
} else {
crlurl = "http://" + host + ":" + listenport[0] + "/rootCA.crl"
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
IsCA: true,
SubjectKeyId: []byte(fmt.Sprintf("%s", priv.PublicKey.N)),
AuthorityKeyId: []byte(fmt.Sprintf("%s", priv.PublicKey.N)),
NotBefore: notBefore,
NotAfter: notBefore.Add(365 * 20 * 24 * time.Hour),
DNSNames: []string{host, strings.Split(host, ".")[0]},
PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{2, 16, 76, 1, 1, 0}}, // Policy: 2.16.76.1.1.0 CPS: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
CRLDistributionPoints: []string{crlurl},
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
BasicConstraintsValid: true,
}
crtkit.CAKey = priv
crtkit.CACert = &template
derBytes, e = x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if e != nil {
return errors.New(fmt.Sprintf("Failed to create certificate: %s", e))
}
crtkit.CACertPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
// ecBytes, e = x509.MarshalECPrivateKey(priv)
// if err != nil {
// return errors.New(fmt.Sprintf("Failed to Marshal ECDSA Private Key: %s", e))
// }
// crtkit.CAKeyPem = pem.EncodeToMemory(&pem.Block{Type: "ECDSA PRIVATE KEY", Bytes: ecBytes})
crtkit.CAKeyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
derBytes, e = template.CreateCRL(rand.Reader, priv, []pkix.RevokedCertificate{}, time.Now(), time.Now().Add(time.Hour*24*30))
if e != nil {
return errors.New(fmt.Sprintf("Failed to create CRL: %s", e))
}
crtkit.CACRL = derBytes
return nil
}