in goalresolvers/goal_resolver.go [76:124]
func (g *webhookTlsManagerGoalResolver) generateCertificates(ctx context.Context) (*CertificateData, *error) {
logger := log.MustGetLogger(ctx)
now := time.Now().UTC()
notBefore := now.Add(-certificates.ClockSkewDuration)
notAfter := now.AddDate(config.AppConfig.CaValidityYears, 0, 0)
caCsr := &x509.Certificate{
Subject: pkix.Name{CommonName: utils.CACertificateCommonName()},
NotBefore: notBefore,
NotAfter: notAfter,
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
IsCA: true,
DNSNames: []string{utils.CACertificateCommonName()},
}
caCert, caCertPem, caKey, caKeyPem, rerr := g.certOperator.CreateSelfSignedCertificateKeyPair(ctx, caCsr)
if rerr != nil {
logger.Errorf(ctx, "generateCertificates generate ca certs and key failed: %s", rerr.Error())
return &CertificateData{}, &rerr.RawError
}
notAfter = now.AddDate(config.AppConfig.ServerValidityYears, 0, 0)
serverCsr := &x509.Certificate{
Subject: pkix.Name{CommonName: utils.ServerCertificateCommonName()},
Issuer: pkix.Name{CommonName: utils.CACertificateCommonName()},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: false,
DNSNames: []string{utils.ServerCertificateCommonName()},
}
serverCertPem, serverKeyPem, rerr := g.certOperator.CreateCertificateKeyPair(ctx, serverCsr, caCert, caKey)
if rerr != nil {
logger.Errorf(ctx, "generateCertificates generate server certs and key failed: %s", rerr.Error())
return &CertificateData{}, &rerr.RawError
}
logger.Info(ctx, "new cert generated")
return &CertificateData{
CaCertPem: []byte(caCertPem),
CaKeyPem: []byte(caKeyPem),
ServerCertPem: []byte(serverCertPem),
ServerKeyPem: []byte(serverKeyPem),
}, nil
}