status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

ca: update godoc 

To clarify what to expect from the data stored in this field, and the
behaviour of this function.
This commit is contained in:
Daniel Nephin 2021-11-25 13:24:35 -05:00
parent abac8baa5d
commit 7121c78d34
2 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
agent/consul/leader_connect_ca.go
View File

@ -602,10 +602,12 @@ func (c *CAManager) getLeafSigningCertFromRoot(root *structs.CARoot) string {
return root.IntermediateCerts[len(root.IntermediateCerts)-1] return root.IntermediateCerts[len(root.IntermediateCerts)-1]
} }
// secondaryInitializeIntermediateCA runs the routine for generating an intermediate CA CSR and getting // secondaryInitializeIntermediateCA generates a Certificate Signing Request (CSR)
// it signed by the primary DC if the root CA of the primary DC has changed since the last // for the intermediate CA that is used to sign leaf certificates in the secondary.
// intermediate. It should only be called while the state lock is held by setting the state // The CSR is signed by the primary DC and then persisted in the state store.
// to non-ready. //
// This method should only be called while the state lock is held by setting the
// state to non-ready.
func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, config *structs.CAConfiguration) error { func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, config *structs.CAConfiguration) error {
activeIntermediate, err := provider.ActiveIntermediate() activeIntermediate, err := provider.ActiveIntermediate()
if err != nil { if err != nil {

21
agent/structs/connect_ca.go
View File

@ -76,9 +76,14 @@ type CARoot struct {
// SerialNumber is the x509 serial number of the certificate. // SerialNumber is the x509 serial number of the certificate.
SerialNumber uint64 SerialNumber uint64
// SigningKeyID is the ID of the public key that corresponds to the private // SigningKeyID is the connect.HexString encoded id of the public key that
// key used to sign leaf certificates. Is is the HexString format of the // corresponds to the private key used to sign leaf certificates in the
// raw AuthorityKeyID bytes. // local datacenter.
//
// The value comes from x509.Certificate.SubjectKeyId of the local leaf
// signing cert.
//
// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
SigningKeyID string SigningKeyID string
// ExternalTrustDomain is the trust domain this root was generated under. It // ExternalTrustDomain is the trust domain this root was generated under. It
@ -192,10 +197,14 @@ type IssuedCert struct {
// This is encoded in standard hex separated by :. // This is encoded in standard hex separated by :.
SerialNumber string SerialNumber string
// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private // CertPEM is a PEM encoded bundle of a leaf certificate, optionally followed
// key for that cert, respectively. This should not be stored in the // by one or more intermediate certificates that will form a chain of trust
// state store, but is present in the sign API response. // back to a root CA.
//
// This field is not persisted in the state store, but is present in the
// sign API response.
CertPEM string `json:",omitempty"` CertPEM string `json:",omitempty"`
// PrivateKeyPEM is the PEM encoded private key associated with CertPEM.
PrivateKeyPEM string `json:",omitempty"` PrivateKeyPEM string `json:",omitempty"`
// Service is the name of the service for which the cert was issued. // Service is the name of the service for which the cert was issued.