Categorygithub.com/edgexr/edge-cloud-platformpkgtls
package
1.2.5
Repository: https://github.com/edgexr/edge-cloud-platform.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
9
Dependents
13
Files
149 SLOC

# README

TLS certs can be generated here with certstrap.

Both client and server certs must be signed by the private Certificate Authority mex-ca.crt

Generating CA File: $ certstrap init --common-name mex-ca Enter passphrase (empty for no passphrase): Enter same passphrase again: Created out/mex-ca.key Created out/mex-ca.crt Created out/mex-ca.crl

The CA file can be re-used for every deployment. It is included for every server and client.

Generating Server Certs:

Domain based, can be wildcard or FQDN: $ certstrap request-cert --domain dme.xyz.mobiledgex.net Enter passphrase (empty for no passphrase): Enter same passphrase again:

Created out/dme.xyz.mobiledgex.net.key Created out/dme.xyz.mobiledgex.net.csr

$ certstrap sign --CA mex-ca dme.xyz.mobiledgex.net $ certstrap sign --CA mex-ca dme.xyx.mobiledgex.net

Created out/dme.xyz.mobiledgex.net.crt from out/dme.xyx.mobiledgex.net.csr signed by out/mex-ca.key

The DME can now be run with --tls ./out/dme.xyz.mobiledgex.net.crt

IP address based:

$ certstrap request-cert --ip 127.0.0.1,0.0.0.0 Enter passphrase (empty for no passphrase): Enter same passphrase again: Created out/127.0.0.1.key Created out/127.0.0.1.csr

$ certstrap sign --CA mex-ca 127.0.0.1

The DME can now be run with --tls ./out/127.0.0.1.crt

Server certs must be generated for every IP or domain through which clients will access.

Generating Client Certs:

Client certs can be shared for all clients.

$ certstrap request-cert --domain mex-client

Enter passphrase (empty for no passphrase): Enter same passphrase again:

Created out/mex-client.key Created out/mex-client.csr

$ certstrap sign --CA mex-ca mex-client Created out/mex-client.crt from out/mex-client.csr signed by out/mex-ca.key

Running DME example: dme-server --tls ./out/dme.xyz.mobiledgex.net.crt 2018-08-19T22:09:57.386-0500 INFO dme-server/dme-notify.go:36 notify client to {"addrs": "127.0.0.1:50001"} Loading certfile ./out/dme.xyz.mobiledgex.net.crt cafile out/mex-ca.crt keyfile ./out/dme.xyz.mobiledgex.net.key

Running edgectl client example: $ edgectl --addr dme.xyz.mobiledgex.net:50051 dme RegisterClient --tls ./out/mex-client.crt
using TLS credentials server dme.xyz.mobiledgex.net certfile ./out/mex-client.crt keyFile ./out/mex-client.key status: ME_SUCCESS sessioncookie: "***"

# Functions

GetClientCertPool gets the system cert pool for all the trusted CA certs and then appends the caCertFile.
No description provided by the author
No description provided by the author
No description provided by the author
GetTLSClientConfig builds client side TLS configuration.
GetTLSClientDialOption gets GRPC options needed for TLS connection.
Utility function that checks for E2ETEST_TLS env var.
ServerAuthServerCreds gets grpc credentials for the server for server-side authentication.

# Constants

LocalTLSCertsDir contains certs generated by gen-test-certs.sh for local testing use.
No description provided by the author
No description provided by the author
No description provided by the author

# Type aliases

No description provided by the author