ca: add some godoc and func for finding leaf signing cert
This will be used in a follow up commit.
This commit is contained in:
Daniel Nephin
parent
48954adfdc
commit
963a9819d0
|
|
@ -1149,10 +1149,8 @@ func (c *CAManager) RenewIntermediate(ctx context.Context, isPrimary bool) error
|
||||||
|
|
||||||
// If this is the primary, check if this is a provider that uses an intermediate cert. If
|
// If this is the primary, check if this is a provider that uses an intermediate cert. If
|
||||||
// it isn't, we don't need to check for a renewal.
|
// it isn't, we don't need to check for a renewal.
|
||||||
if isPrimary {
|
if isPrimary && !primaryUsesIntermediate(provider) {
|
||||||
if _, ok := provider.(ca.PrimaryUsesIntermediate); !ok {
|
return nil
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
activeIntermediate, err := provider.ActiveIntermediate()
|
activeIntermediate, err := provider.ActiveIntermediate()
|
||||||
|
|
@ -1536,3 +1534,16 @@ func (c *CAManager) checkExpired(pem string) error {
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func primaryUsesIntermediate(provider ca.Provider) bool {
|
||||||
|
_, ok := provider.(ca.PrimaryUsesIntermediate)
|
||||||
|
return ok
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *CAManager) isIntermediateUsedToSignLeaf() bool {
|
||||||
|
if c.serverConf.Datacenter != c.serverConf.PrimaryDatacenter {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
provider, _ := c.getCAProvider()
|
||||||
|
return primaryUsesIntermediate(provider)
|
||||||
|
}
|
||||||
|
|
@ -86,11 +86,20 @@ type CARoot struct {
|
||||||
NotBefore time.Time
|
NotBefore time.Time
|
||||||
NotAfter time.Time
|
NotAfter time.Time
|
||||||
|
|
||||||
// RootCert is the PEM-encoded public certificate.
|
// RootCert is the PEM-encoded public certificate for the root CA. The
|
||||||
|
// certificate is the same for all federated clusters.
|
||||||
RootCert string
|
RootCert string
|
||||||
|
|
||||||
// IntermediateCerts is a list of PEM-encoded intermediate certs to
|
// IntermediateCerts is a list of PEM-encoded intermediate certs to
|
||||||
// attach to any leaf certs signed by this CA.
|
// attach to any leaf certs signed by this CA. The list may include a
|
||||||
|
// certificate cross-signed by an old root CA, any subordinate CAs below the
|
||||||
|
// root CA, and the intermediate CA used to sign leaf certificates in the
|
||||||
|
// local Datacenter.
|
||||||
|
//
|
||||||
|
// If the provider which created this root uses an intermediate to sign
|
||||||
|
// leaf certificates (Vault provider), or this is a secondary Datacenter then
|
||||||
|
// the intermediate used to sign leaf certificates will be the last in the
|
||||||
|
// list.
|
||||||
IntermediateCerts []string
|
IntermediateCerts []string
|
||||||
|
|
||||||
// SigningCert is the PEM-encoded signing certificate and SigningKey
|
// SigningCert is the PEM-encoded signing certificate and SigningKey
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue