BuildCAFromFile reads and parses a CA and its associated private from files under path.

BuildCAFromSecret parses the given secret into a CA.

CAInternalSecretName returns the name of the internal secret containing the CA certs and keys.

CanReuseCA returns true if the given CA is valid for reuse.

CertificateWatchKey returns the key used by the dynamic watch registration for custom http certificates.

CertIsValid returns true if the given cert is valid, according to a safety time margin.

EncodePEMCert encodes the given certificate blocks as a PEM certificate.

EncodePEMPrivateKey encodes the given private key in the PEM format.

GetCompatiblePrivateKey returns a PEM encoded private key iff the CA and the key have the same underlying type.

GetPrimaryCertificate returns the primary certificate (i.e.

HTTPCertSecretVolume returns a SecretVolume to hold the HTTP certs for the given resource.

MarshalToSubjectAlternativeNamesData marshals the provided General Names to a valid value for an X509 SAN extension.

NewCA returns a ca with the given private key and cert.

NewPrivateKey generates a new private key using the same implementation than the CA.

NewSelfSignedCA creates a self-signed CA according to the given options.

ParseCustomCASecret checks that mandatory fields are present and returns a CA struct.

ParsePEMCerts returns a list of certificates from the given PEM certs data Based on the code of x509.CertPool.AppendCertsFromPEM (https://golang.org/src/crypto/x509/cert_pool.go) We don't rely on x509.CertPool.AppendCertsFromPEM directly here since it returns an interface from which we cannot extract the actual certificates if we need to compare them.

ParsePEMPrivateKey parses the given private key in the PEM format ErrEncryptedPrivateKey is returned as an error if the private key is encrypted.

ParseSANGeneralNamesOtherNamesOnly parses the X509 Subject Alternative Names extensions of a X509 certificate and returns a list of GeneralName entries.

PrivateMatchesPublicKey returns true if the public and private keys correspond to each other.

PublicCertsHasCACert returns true if an Elastic resource has a CA (ca.crt) in its public HTTP certs secret given its namer, namespace and name.

PublicCertsSecretRef returns the NamespacedName for the Secret containing the publicly available HTTP CA.

ReconcileCAForOwner ensures that a CA exists for the given owner and CAType, and returns it.

ReconcileCustomCertWatch takes a SecretRef and either creates or removes a dynamic watch for watchKey depending on whether secretRef empty or not.

ShouldRotateIn computes the duration after which a certificate rotation should be scheduled in order for the cert to be rotated before it expires.

CAFileName is used for the CA Certificates inside a secret.

CAKeyFileName is used for the CA certificate's private key inside a secret.

CertFileName is used for Certificates inside a secret.

DefaultCertValidity makes new certificates default to a 1 year expiration.

DefaultRotateBefore defines how long before expiration a certificate should be re-issued.

HTTPCAType is the CA used for HTTP certificates.

nolint:gosec.

http certs volume.

KeyFileName is used for Private Keys inside a secret.

TransportCAType is the CA used for ES transport certificates.

CommonNameObjectIdentifier is the OID for a CommonName field in x509.

SerialNumberLimit is the maximum number used as a certificate serial number.

SubjectAlternativeNamesObjectIdentifier is the OID for the Subject Alternative Name x509 extension.

CA is a simple certificate authority.

CABuilderOptions are options to build a self-signed CA.

GeneralName is a partially modelled GeneralName from RFC 5280, Section 4.2.1.6 The RFC defines the Subject Alternative Names value as follows: id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } OtherName is used in Elasticsearch certificates as the node names, and is what is compared to the allowed subjects in the trust_restrictions file (if configured) when doing certificate validation between ES nodes.

OtherName is a record that contains custom data.

RotationParams defines validity and a safety margin for certificate rotation.

UTF8StringValuedOtherName is a concrete OtherValue where the Value is a utf8 string.

CAType is a type of CA.

ValidatedCertificateTemplate is a type alias used to convey that the certificate template has been validated and should be considered trusted.