in xds/credentials/certgenerate/generate_cert.go [332:399]
func genCertTemplateFromOptions(options CertOptions) (*x509.Certificate, error) {
var keyUsage x509.KeyUsage
if options.IsCA {
// If the cert is a CA cert, the private key is allowed to sign other certificates.
keyUsage = x509.KeyUsageCertSign
} else {
// Otherwise the private key is allowed for digital signature and key encipherment.
keyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
}
extKeyUsages := []x509.ExtKeyUsage{}
if options.IsServer {
extKeyUsages = append(extKeyUsages, x509.ExtKeyUsageServerAuth)
}
if options.IsClient {
extKeyUsages = append(extKeyUsages, x509.ExtKeyUsageClientAuth)
}
notBefore := time.Now()
if !options.NotBefore.IsZero() {
notBefore = options.NotBefore
}
serialNum, err := genSerialNum()
if err != nil {
return nil, err
}
subject := pkix.Name{
Organization: []string{options.Org},
}
exts := []pkix.Extension{}
if h := options.Host; len(h) > 0 {
s, err := BuildSubjectAltNameExtension(h)
if err != nil {
return nil, err
}
if options.IsDualUse {
cn, err := DualUseCommonName(h)
if err != nil {
// logger and continue
logger.Errorf("dual-use failed for cert template - omitting CN (%v)", err)
} else {
subject.CommonName = cn
}
}
exts = []pkix.Extension{*s}
}
dnsNames := strings.Split(options.DNSNames, ",")
if len(dnsNames[0]) == 0 {
dnsNames = nil
}
return &x509.Certificate{
SerialNumber: serialNum,
Subject: subject,
NotBefore: notBefore,
NotAfter: notBefore.Add(options.TTL),
KeyUsage: keyUsage,
ExtKeyUsage: extKeyUsages,
IsCA: options.IsCA,
BasicConstraintsValid: true,
ExtraExtensions: exts,
DNSNames: dnsNames,
}, nil
}