ca: add some godoc and func for finding leaf signing cert
This will be used in a follow up commit.
This commit is contained in:
parent
48954adfdc
commit
963a9819d0
|
@ -1149,10 +1149,8 @@ func (c *CAManager) RenewIntermediate(ctx context.Context, isPrimary bool) error
|
|||
|
||||
// If this is the primary, check if this is a provider that uses an intermediate cert. If
|
||||
// it isn't, we don't need to check for a renewal.
|
||||
if isPrimary {
|
||||
if _, ok := provider.(ca.PrimaryUsesIntermediate); !ok {
|
||||
return nil
|
||||
}
|
||||
if isPrimary && !primaryUsesIntermediate(provider) {
|
||||
return nil
|
||||
}
|
||||
|
||||
activeIntermediate, err := provider.ActiveIntermediate()
|
||||
|
@ -1536,3 +1534,16 @@ func (c *CAManager) checkExpired(pem string) error {
|
|||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func primaryUsesIntermediate(provider ca.Provider) bool {
|
||||
_, ok := provider.(ca.PrimaryUsesIntermediate)
|
||||
return ok
|
||||
}
|
||||
|
||||
func (c *CAManager) isIntermediateUsedToSignLeaf() bool {
|
||||
if c.serverConf.Datacenter != c.serverConf.PrimaryDatacenter {
|
||||
return true
|
||||
}
|
||||
provider, _ := c.getCAProvider()
|
||||
return primaryUsesIntermediate(provider)
|
||||
}
|
|
@ -86,11 +86,20 @@ type CARoot struct {
|
|||
NotBefore time.Time
|
||||
NotAfter time.Time
|
||||
|
||||
// RootCert is the PEM-encoded public certificate.
|
||||
// RootCert is the PEM-encoded public certificate for the root CA. The
|
||||
// certificate is the same for all federated clusters.
|
||||
RootCert string
|
||||
|
||||
// IntermediateCerts is a list of PEM-encoded intermediate certs to
|
||||
// attach to any leaf certs signed by this CA.
|
||||
// attach to any leaf certs signed by this CA. The list may include a
|
||||
// certificate cross-signed by an old root CA, any subordinate CAs below the
|
||||
// root CA, and the intermediate CA used to sign leaf certificates in the
|
||||
// local Datacenter.
|
||||
//
|
||||
// If the provider which created this root uses an intermediate to sign
|
||||
// leaf certificates (Vault provider), or this is a secondary Datacenter then
|
||||
// the intermediate used to sign leaf certificates will be the last in the
|
||||
// list.
|
||||
IntermediateCerts []string
|
||||
|
||||
// SigningCert is the PEM-encoded signing certificate and SigningKey
|
||||
|
|
Loading…
Reference in New Issue