Kyle Havlovitz
5c7fbc284d
connect/ca: hash the consul provider ID and include isRoot
2018-09-12 13:44:15 -07:00
Kyle Havlovitz
c112a72880
connect/ca: some cleanup and reorganizing of the new methods
2018-09-11 16:43:04 -07:00
Kyle Havlovitz
546bdf8663
connect/ca: add Configure/GenerateRoot to provider interface
2018-09-06 19:18:59 -07:00
Siva Prasad
288d350a73
Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix." ( #4497 )
...
* Revert "BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472 )"
This reverts commit cec5d72396
.
* Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493 )"
This reverts commit 589b589b53
.
2018-08-07 08:29:48 -04:00
Siva Prasad
589b589b53
CA initialization while boostrapping and TestLeader_ChangeServerID fix. ( #4493 )
...
* connect: fix an issue with Consul CA bootstrapping being interrupted
* streamline change server id test
2018-08-06 16:15:24 -04:00
Kyle Havlovitz
f67a4d59c0
connect/ca: simplify passing of leaf cert TTL
2018-07-25 17:51:45 -07:00
Kyle Havlovitz
ce10de036e
connect/ca: check LeafCertTTL when rotating expired roots
2018-07-20 16:04:04 -07:00
Kyle Havlovitz
d6ca015a42
connect/ca: add configurable leaf cert TTL
2018-07-16 13:33:37 -07:00
Matt Keeler
677d6dac80
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Kyle Havlovitz
8c2c9705d9
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
050da22473
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
914d9e5e20
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
bc997688e3
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
8a70ea64a6
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
6a2fc00997
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
226a59215d
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
1a8ac686b2
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
51fc48e8a6
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
e514570dfa
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Kyle Havlovitz
ab4a9a94f4
Re-use uint8ToString
2018-06-14 09:42:23 -07:00
Kyle Havlovitz
5683d628c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Paul Banks
b4803eca59
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
c1f2025d96
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
e00088e8ee
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
627aa80d5a
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
988510f53c
Add test for ca config http endpoint
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
de72834b8c
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00