gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(M39): IIS target connector + README overhaul

Browse Source 
Implement full IIS target connector with PEM-to-PFX conversion via
go-pkcs12, PowerShell-based deployment (Import-PfxCertificate, IIS
binding management), SHA-1 thumbprint computation, and SNI support.
Injectable PowerShellExecutor interface enables cross-platform testing.
Regex-validated config fields prevent PowerShell injection. 28 tests.

Restructure README from 563 to 313 lines: outcome-focused feature
descriptions, "Who Is This For" persona section, examples promoted
above the fold, configuration/API/security reference moved to docs.
All numbers verified against repo (25 GUI pages, 97 OpenAPI ops,
CI thresholds service 55%/handler 60%/domain 40%/middleware 30%).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
2026-04-02 20:27:27 -04:00
parent adfb682754
commit 8b52da6aef
6 changed files with 1594 additions and 434 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+87 -335
View File
@@ -14,7 +14,7 @@
TLS certificate lifespans are shrinking fast. The CA/Browser Forum passed [Ballot SC-081v3](https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/) unanimously in April 2025, setting a phased reduction: **200 days** by March 2026, **100 days** by March 2027, and **47 days** by March 2029. Organizations managing dozens or hundreds of certificates can no longer rely on spreadsheets, calendar reminders, or manual renewal workflows. The math doesn't work — at 47-day lifespans, a team managing 100 certificates is processing 7+ renewals per week, every week, forever.
certctl is a self-hosted platform that automates the entire certificate lifecycle — from issuance through renewal to deployment — with zero human intervention. It works with any certificate authority, deploys to any server, and keeps private keys on your infrastructure where they belong.
certctl is a self-hosted platform that automates the entire certificate lifecycle — from issuance through renewal to deployment — with zero human intervention. It works with any certificate authority, deploys to any server, and keeps private keys on your infrastructure where they belong. It's free, self-hosted, and covers the same lifecycle that enterprise platforms charge $100K+/year for.
```mermaid
gantt
@@ -36,53 +36,41 @@ gantt
47 days :crit, 2020-01-01, 47d
```
## Documentation
| Guide | Description |
|-------|-------------|
| [Why certctl?](docs/why-certctl.md) | Competitive positioning — how certctl compares to open-source and enterprise certificate management platforms |
| [Concepts](docs/concepts.md) | TLS certificates explained from scratch — for beginners who know nothing about certs |
| [Quick Start](docs/quickstart.md) | Get running in 5 minutes — dashboard, API, CLI, discovery, stakeholder demo flow |
| [Advanced Demo](docs/demo-advanced.md) | Issue a certificate end-to-end with technical deep-dives |
| [Architecture](docs/architecture.md) | System design, data flow diagrams, security model |
| [Feature Inventory](docs/features.md) | Complete reference of all V2 capabilities, API endpoints, and configuration |
| [Connectors](docs/connectors.md) | Build custom issuer, target, and notifier connectors |
| [Compliance Mapping](docs/compliance.md) | SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides |
| [Migrate from Certbot](docs/migrate-from-certbot.md) | Step-by-step migration from Certbot/Let's Encrypt cron jobs |
| [Migrate from acme.sh](docs/migrate-from-acmesh.md) | Migration guide for acme.sh users with DNS-01 scripts |
| [certctl for cert-manager Users](docs/certctl-for-cert-manager-users.md) | Using certctl alongside cert-manager for non-Kubernetes infrastructure |
> **Next release:** v2.1.0 will be tagged after the full V2 feature suite passes manual QA across all 34 sections of the [testing guide](docs/testing-guide.md). Automated CI (1,300+ Go tests + 211 frontend tests) gates every commit; the manual playbook covers integration, deployment, and UX verification that unit tests can't reach.
> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs 1,500+ tests with race detection, static analysis, and vulnerability scanning on every commit.
## Why certctl Exists
Certificate lifecycle tooling today falls into two camps: expensive enterprise platforms (Venafi, Keyfactor, Sectigo) that cost six figures and take months to deploy, or single-purpose tools (cert-manager, certbot) that handle one slice of the problem. If you run a mixed infrastructure — some NGINX, some Apache, a few HAProxy nodes, maybe an F5 — and you need to manage certificates from multiple CAs, there's nothing self-hosted that covers the full lifecycle without vendor lock-in.
Certificate lifecycle tooling today falls into two camps: expensive enterprise platforms (Venafi, Keyfactor, Sectigo) that cost six figures and take months to deploy, or single-purpose tools (cert-manager, certbot) that handle one slice of the problem. If you run a mixed infrastructure — some NGINX, some Apache, a few HAProxy nodes, IIS on Windows, maybe an F5 — and you need to manage certificates from multiple CAs, there's nothing self-hosted that covers the full lifecycle without vendor lock-in.
certctl fills that gap. It's **CA-agnostic** the issuer connector interface means you can plug in any certificate authority: a self-signed local CA for dev, Let's Encrypt via ACME for public certs, Smallstep step-ca for your private PKI, your enterprise ADCS via sub-CA mode, or any custom CA through a shell script adapter. You're never locked to a single CA vendor, and you can run multiple issuers simultaneously for different certificate types.
certctl fills that gap. It's **CA-agnostic** — plug in any certificate authority: Let's Encrypt via ACME, Smallstep step-ca, HashiCorp Vault PKI, DigiCert CertCentral, your enterprise ADCS via sub-CA mode, or any custom CA through a shell script adapter. Run multiple issuers simultaneously for different certificate types.
It's also **target-agnostic**. Agents deploy certificates to NGINX, Apache, HAProxy, Traefik, and Caddy — all using the same pluggable connector model for any server that accepts cert files. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.
It's **target-agnostic**. Agents deploy certificates to NGINX, Apache, HAProxy, Traefik, Caddy, and IIS — all using the same pluggable connector model. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.
For a detailed comparison with CertKit, KeyTalk, and enterprise platforms (Venafi, Keyfactor), see [Why certctl?](docs/why-certctl.md)
For a detailed comparison with CertKit, KeyTalk, and enterprise platforms, see [Why certctl?](docs/why-certctl.md)
## Who Is This For
**Platform engineering and DevOps teams** managing 10500+ certificates across mixed infrastructure who need automated renewal, deployment, and a single dashboard for visibility. If you're currently running certbot cron jobs, manually renewing certs, or stitching together scripts — certctl replaces all of that.
**Security and compliance teams** who need an immutable audit trail, certificate ownership tracking, policy enforcement, and evidence for SOC 2, PCI-DSS 4.0, or NIST SP 800-57 audits.
**Small teams without enterprise budgets** who need the lifecycle automation that Venafi and Keyfactor provide but can't justify six-figure licensing for a 50-server environment.
## What It Does
certctl gives you a single pane of glass for every TLS certificate in your organization:
- **Certificates renew and deploy themselves.** The scheduler monitors expiration, creates renewal jobs, issues certificates through your CA, and deploys them to target servers — all without human intervention. ACME ARI (RFC 9702) lets your CA tell certctl exactly when to renew.
- **Web dashboard** 24 operational pages: certificate inventory, deployment timeline with TLS verification, bulk operations (renew/revoke/reassign), discovery triage, network scan management, approval workflows, audit trail with CSV/JSON export, agent fleet overview with OS/arch grouping, short-lived credential monitoring, digest email preview
- **REST API** — 97 endpoints under `/api/v1/` + `/.well-known/est/` for complete automation, with sparse fields, sort, cursor pagination, and time-range filters
- **Agents** — generate private keys locally (ECDSA P-256), discover existing certs on disk (PEM/DER), submit CSRs only (private keys never leave your servers)
- **Network scanner** — discovers certificates on TLS endpoints across CIDR ranges without requiring agents, concurrent scanning with configurable timeouts
- **Certificate export** — PEM (JSON or file download) and PKCS#12 formats, with audit trail; private keys never included
- **S/MIME + EKU support** — issue certificates with emailProtection, codeSigning, timeStamping, clientAuth EKUs; email SAN routing for S/MIME
- **EST server** (RFC 7030) — device and WiFi certificate enrollment via industry-standard protocol
- **Post-deployment verification** — agent-side TLS probe confirms the target serves the correct certificate by SHA-256 fingerprint match
- **Approval workflows** — require human sign-off on renewals before deployment
- **Background scheduler** — 7 automated loops: renewal checks, job processing, agent health, notifications, short-lived cert expiry, network scanning, and scheduled certificate digest emails
- **ACME Renewal Information (ARI, RFC 9702)** — CA-directed renewal timing; certctl asks the CA when to renew instead of using fixed thresholds
- **Scheduled certificate digest emails** — HTML digest with certificate stats, expiration timeline, and job health; optional daily briefing via SMTP
- **Helm chart** — Production-ready Kubernetes deployment with server, PostgreSQL, and agent DaemonSet
- **You see everything in one place.** A 25-page operational dashboard shows every certificate across every server: status, ownership, expiration timeline, deployment history with TLS verification, discovery triage, and real-time agent fleet health. Bulk operations (renew, revoke, reassign) work across selections.
For the full capability breakdown — revocation infrastructure, policy engine, observability, EST enrollment, and more — see the [Feature Inventory](docs/features.md).
- **Private keys never leave your servers.** Agents generate ECDSA P-256 keys locally and submit only the CSR. The control plane never touches private keys. Post-deployment TLS verification confirms the right certificate is actually being served.
- **Discover what you don't know about.** Agents scan filesystems for existing PEM/DER certificates. The network scanner probes TLS endpoints across CIDR ranges without requiring agents. Both feed into a triage workflow where you claim, dismiss, or import discovered certificates.
- **Everything is auditable.** Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Certificate digest emails deliver daily briefings. Prometheus metrics endpoint for Grafana dashboards.
- **Multiple interfaces for different workflows.** REST API (97 endpoints) for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), EST server (RFC 7030) for device enrollment, Helm chart for Kubernetes, and the web dashboard for day-to-day operations.
For the full capability breakdown — revocation infrastructure (CRL + OCSP), policy engine, certificate profiles, S/MIME support, approval workflows, and more — see the [Feature Inventory](docs/features.md).
## Supported Integrations
@@ -109,8 +97,8 @@ For the full capability breakdown — revocation infrastructure, policy engine,
| HAProxy | Implemented | `HAProxy` |
| Traefik | Implemented | `Traefik` |
| Caddy | Implemented | `Caddy` |
| Microsoft IIS | Implemented | `IIS` |
| F5 BIG-IP | Interface only | `F5` |
| Microsoft IIS | Interface only | `IIS` |
### Notifiers
| Notifier | Status | Type |
@@ -143,7 +131,7 @@ All connectors are pluggable — build your own by implementing the [connector i
<td><a href="docs/screenshots/v2-issuers.png"><img src="docs/screenshots/v2-issuers.png" width="270" alt="Issuers"></a><br><b>Issuers</b><br><sub>Local CA, ACME, step-ca, Vault PKI, DigiCert</sub></td>
</tr>
<tr>
<td><a href="docs/screenshots/v2-targets.png"><img src="docs/screenshots/v2-targets.png" width="270" alt="Targets"></a><br><b>Targets</b><br><sub>NGINX, Apache, HAProxy, Traefik, Caddy deployment</sub></td>
<td><a href="docs/screenshots/v2-targets.png"><img src="docs/screenshots/v2-targets.png" width="270" alt="Targets"></a><br><b>Targets</b><br><sub>NGINX, Apache, HAProxy, Traefik, Caddy, IIS deployment</sub></td>
<td><a href="docs/screenshots/v2-owners.png"><img src="docs/screenshots/v2-owners.png" width="270" alt="Owners"></a><br><b>Owners</b><br><sub>Cert ownership with team assignment</sub></td>
<td><a href="docs/screenshots/v2-teams.png"><img src="docs/screenshots/v2-teams.png" width="270" alt="Teams"></a><br><b>Teams</b><br><sub>Org grouping for notification routing</sub></td>
</tr>
@@ -154,17 +142,8 @@ All connectors are pluggable — build your own by implementing the [connector i
</tr>
</table>
> **24 operational GUI pages** covering the full certificate lifecycle: dashboard, certificates (list + detail with EKU badges, deployment timeline, TLS verification status), agents, fleet overview, jobs (list + detail with approval workflow), notifications, policies, profiles, issuers (catalog + detail), targets (list + detail + wizard), owners, teams, agent groups, audit trail, short-lived credentials, discovery triage, network scan management, digest email preview, and observability metrics.
## Quick Start
### Docker Pull
```bash
docker pull shankar0123.docker.scarf.sh/certctl-server
docker pull shankar0123.docker.scarf.sh/certctl-agent
```
### Docker Compose (Recommended)
```bash
@@ -177,7 +156,6 @@ Wait ~30 seconds, then open **http://localhost:8443** in your browser.
The dashboard comes pre-loaded with 32 demo certificates across 7 issuers, 8 agents, 180 days of job history, discovery scan data, and network scan targets — a realistic snapshot of a certificate inventory that looks like it's been running for months.
Verify the API:
```bash
curl http://localhost:8443/health
# {"status":"healthy"}
@@ -194,29 +172,27 @@ curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-a
Detects your OS and architecture, downloads the binary, configures systemd (Linux) or launchd (macOS), and starts the agent. See [install-agent.sh](install-agent.sh) for details.
### Manual Build
### Docker Pull
```bash
# Prerequisites: Go 1.25+, PostgreSQL 16+, Docker (for testcontainers-go)
go mod download
make build
# Set up database
export CERTCTL_DATABASE_URL="postgres://certctl:certctl@localhost:5432/certctl?sslmode=disable"
export CERTCTL_AUTH_TYPE=none
make migrate-up
# Start server
./bin/server
# Start agent (separate terminal)
export CERTCTL_SERVER_URL=http://localhost:8443
export CERTCTL_API_KEY=change-me-in-production
export CERTCTL_AGENT_NAME=local-agent
export CERTCTL_AGENT_ID=agent-local-01
./bin/agent --agent-id=agent-local-01
docker pull shankar0123.docker.scarf.sh/certctl-server
docker pull shankar0123.docker.scarf.sh/certctl-agent
```
## Examples
Pick the scenario closest to your setup and have it running in 2 minutes.
| Example | Scenario |
|---------|----------|
| [`examples/acme-nginx/`](examples/acme-nginx/) | Let's Encrypt + NGINX, HTTP-01 challenges |
| [`examples/acme-wildcard-dns01/`](examples/acme-wildcard-dns01/) | Wildcard certs via DNS-01 (Cloudflare hook included) |
| [`examples/private-ca-traefik/`](examples/private-ca-traefik/) | Local CA (self-signed or sub-CA) + Traefik file provider |
| [`examples/step-ca-haproxy/`](examples/step-ca-haproxy/) | Smallstep step-ca + HAProxy combined PEM |
| [`examples/multi-issuer/`](examples/multi-issuer/) | ACME for public + Local CA for internal, one dashboard |
Each directory contains a `docker-compose.yml` and a `README.md` explaining the scenario, prerequisites, and customization.
## Architecture
**Control plane** (Go 1.25 net/http) → **PostgreSQL 16** (21 tables, TEXT primary keys) → **Agents** (key generation, CSR submission, cert deployment). Background scheduler runs 7 loops: renewal checks (1h), job processing (30s), agent health (2m), notifications (1m), short-lived cert expiry (30s), network scanning (6h), certificate digest (24h). See [Architecture Guide](docs/architecture.md) for full system diagrams and data flow.
@@ -228,206 +204,23 @@ export CERTCTL_AGENT_ID=agent-local-01
- **Handler → Service → Repository layering.** Handlers define their own service interfaces for clean dependency inversion. No global service singletons.
- **Idempotent migrations.** All schema uses `IF NOT EXISTS` and seed data uses `ON CONFLICT (id) DO NOTHING`, safe for repeated execution.
PostgreSQL 16 with 21 tables covering certificates, versions, policies, issuers, targets, agents, jobs, teams, owners, profiles, agent groups, revocations, discovery, network scans, and audit events. See the [Architecture Guide](docs/architecture.md) for the full schema.
## Documentation
## Configuration
All environment variables use the `CERTCTL_` prefix. Full reference below (39 variables across server, agent, and connector config).
### Server — Core
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SERVER_HOST` | `127.0.0.1` | Server bind address |
| `CERTCTL_SERVER_PORT` | `8080` | Server listen port (165535) |
| `CERTCTL_DATABASE_URL` | `postgres://localhost/certctl` | PostgreSQL connection string (required) |
| `CERTCTL_DATABASE_MAX_CONNS` | `25` | PostgreSQL connection pool size (min 1) |
| `CERTCTL_DATABASE_MIGRATIONS_PATH` | `./migrations` | Path to migration SQL files |
| `CERTCTL_MAX_BODY_SIZE` | `1048576` | Max HTTP request body in bytes (default 1MB) |
| `CERTCTL_LOG_LEVEL` | `info` | Log verbosity: `debug`, `info`, `warn`, `error` |
| `CERTCTL_LOG_FORMAT` | `json` | Log format: `json` (structured) or `text` (human-readable) |
### Server — Auth, CORS, Rate Limiting
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_AUTH_TYPE` | `api-key` | Auth mode: `api-key`, `jwt`, or `none` (demo only) |
| `CERTCTL_AUTH_SECRET` | — | Required for `api-key` and `jwt` auth types |
| `CERTCTL_CORS_ORIGINS` | *(empty = deny all)* | Comma-separated allowed origins, or `*` for dev |
| `CERTCTL_RATE_LIMIT_ENABLED` | `true` | Enable token bucket rate limiting |
| `CERTCTL_RATE_LIMIT_RPS` | `50` | Requests per second per client |
| `CERTCTL_RATE_LIMIT_BURST` | `100` | Max burst size |
| `CERTCTL_KEYGEN_MODE` | `agent` | Key generation: `agent` (production) or `server` (demo only) |
### Server — Scheduler
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL` | `1h` | How often to check expiring certs (min 1m) |
| `CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL` | `30s` | How often to process pending jobs (min 1s) |
| `CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL` | `2m` | Agent heartbeat check frequency (min 1s) |
| `CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL` | `1m` | Notification send frequency (min 1s) |
### Server — Sub-CA Mode
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_CA_CERT_PATH` | — | PEM-encoded CA certificate for sub-CA mode |
| `CERTCTL_CA_KEY_PATH` | — | PEM-encoded CA private key (RSA, ECDSA, PKCS#8) |
### Server — Feature Flags
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_EST_ENABLED` | `false` | Enable RFC 7030 EST enrollment endpoints |
| `CERTCTL_EST_ISSUER_ID` | `iss-local` | Which issuer processes EST enrollments |
| `CERTCTL_EST_PROFILE_ID` | — | Constrain EST to a specific certificate profile |
| `CERTCTL_NETWORK_SCAN_ENABLED` | `false` | Enable server-side TLS network scanning |
| `CERTCTL_NETWORK_SCAN_INTERVAL` | `6h` | How often scheduled scans run |
| `CERTCTL_VERIFY_DEPLOYMENT` | `true` | TLS verification after certificate deployment |
| `CERTCTL_VERIFY_TIMEOUT` | `10s` | TLS probe timeout |
| `CERTCTL_VERIFY_DELAY` | `2s` | Delay before verification probe |
### Server — Notification Connectors
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SLACK_WEBHOOK_URL` | — | Slack incoming webhook URL (enables Slack) |
| `CERTCTL_SLACK_CHANNEL` | — | Override default webhook channel |
| `CERTCTL_SLACK_USERNAME` | `certctl` | Bot display name |
| `CERTCTL_TEAMS_WEBHOOK_URL` | — | Microsoft Teams webhook URL (enables Teams) |
| `CERTCTL_PAGERDUTY_ROUTING_KEY` | — | PagerDuty Events API v2 key (enables PagerDuty) |
| `CERTCTL_PAGERDUTY_SEVERITY` | `warning` | Event severity: `info`, `warning`, `error`, `critical` |
| `CERTCTL_OPSGENIE_API_KEY` | — | OpsGenie Alert API key (enables OpsGenie) |
| `CERTCTL_OPSGENIE_PRIORITY` | `P3` | Alert priority: `P1``P5` |
### Agent
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SERVER_URL` | `http://localhost:8080` | Control plane URL |
| `CERTCTL_API_KEY` | — | Agent API key for authentication |
| `CERTCTL_AGENT_ID` | — | Registered agent ID (required) |
| `CERTCTL_KEY_DIR` | `/var/lib/certctl/keys` | Private key storage directory (0600 perms) |
| `CERTCTL_DISCOVERY_DIRS` | — | Directories to scan for existing certs (comma-separated) |
Docker Compose overrides for the demo stack are in `deploy/docker-compose.yml`.
## Development
```bash
# Install dev tools (golangci-lint, migrate CLI, air)
make install-tools
# Run tests
make test
# Run tests with race detection (same as CI)
go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/domain/... ./internal/validation/...
# Run with coverage
make test-coverage
# Lint (runs golangci-lint with project config)
make lint
# Vulnerability scan
govulncheck ./...
# Format
make fmt
```
### CI Pipeline
Every push and PR runs: `go vet`, `go test -race` (race detection), `golangci-lint` (11 linters including gosec and bodyclose), `govulncheck` (dependency CVE scanning), and per-layer coverage thresholds (service 60%, handler 60%, domain 40%, middleware 50%). Frontend CI runs TypeScript type checking, Vitest tests, and Vite production build. See `.github/workflows/ci.yml` for details.
### Docker Compose
```bash
make docker-up # Start stack (server + postgres + agent)
make docker-down # Stop stack
make docker-logs-server # Server logs
make docker-logs-agent # Agent logs
make docker-clean # Stop + remove volumes
```
## Security
### Private Key Management
- **Agent keygen mode (default)**: Agents generate ECDSA P-256 keys locally and store them with 0600 permissions in `CERTCTL_KEY_DIR` (default `/var/lib/certctl/keys`). Only the CSR (public key) is sent to the control plane. Private keys never leave agent infrastructure.
- **Server keygen mode (demo only)**: Set `CERTCTL_KEYGEN_MODE=server` for development/demo with Local CA. The control plane generates RSA-2048 keys server-side. A log warning is emitted at startup.
### Authentication
- Agent-to-server: API key (registered at agent creation)
- API key and JWT auth types supported; `none` for demo/development
- Auth type and secret configured via `CERTCTL_AUTH_TYPE` and `CERTCTL_AUTH_SECRET`
### CORS
- **Deny-by-default**: Empty `CERTCTL_CORS_ORIGINS` blocks all cross-origin requests. Operators must explicitly list allowed origins (comma-separated) or set `*` for development.
### Input Validation
- Shell command injection prevention on all connector scripts (strict character whitelist, no metacharacters)
- RFC 1123 domain name validation, base64url ACME token validation
- SSRF protection in network scanner (loopback, link-local, multicast, broadcast ranges filtered)
### Concurrency Safety
- Scheduler loops protected by `sync/atomic.Bool` idempotency guards — duplicate ticks are skipped
- Graceful shutdown waits up to 30 seconds for in-flight work before database close
### Audit Trail
- Immutable append-only log in PostgreSQL (`audit_events` table)
- Every lifecycle action attributed to an actor with timestamp and resource reference
- No update or delete operations on audit records
- Every API call recorded to audit trail with method, path, actor, SHA-256 body hash, response status, and latency
## API Overview
97 endpoints under `/api/v1/` + `/.well-known/est/`, all returning JSON. List endpoints support pagination, sparse field selection (`?fields=`), sort (`?sort=-notAfter`), time-range filters, and cursor-based pagination. Full request/response schemas in the [OpenAPI 3.1 spec](api/openapi.yaml).
### Key Endpoints
```
# Certificate lifecycle
GET /api/v1/certificates List (filter, sort, cursor, sparse fields)
POST /api/v1/certificates/{id}/renew Trigger renewal → 202 Accepted
POST /api/v1/certificates/{id}/revoke Revoke with RFC 5280 reason code
GET /api/v1/certificates/{id}/export/pem Export PEM (JSON or file download)
POST /api/v1/certificates/{id}/export/pkcs12 Export PKCS#12 bundle (no private key)
GET /api/v1/crl/{issuer_id} DER-encoded X.509 CRL
GET /api/v1/ocsp/{issuer_id}/{serial} OCSP responder (good/revoked/unknown)
# Agent operations
POST /api/v1/agents/{id}/csr Submit CSR for issuance
GET /api/v1/agents/{id}/work Poll for pending deployment jobs
POST /api/v1/agents/{id}/discoveries Submit certificate discovery scan results
# Discovery & network scanning
GET /api/v1/discovered-certificates List discovered certs (?agent_id, ?status)
POST /api/v1/discovered-certificates/{id}/claim Link to managed cert
POST /api/v1/network-scan-targets/{id}/scan Trigger immediate TLS scan
# Jobs & approval
POST /api/v1/jobs/{id}/approve Approve interactive renewal
POST /api/v1/jobs/{id}/reject Reject interactive renewal
# Post-deployment verification
POST /api/v1/jobs/{id}/verify Submit TLS verification result
GET /api/v1/jobs/{id}/verification Get verification status
# Observability
GET /api/v1/metrics/prometheus Prometheus exposition format
GET /api/v1/stats/summary Dashboard summary
# Digest emails (scheduled briefing)
GET /api/v1/digest/preview HTML email preview
POST /api/v1/digest/send Send digest immediately
# EST enrollment (RFC 7030)
POST /.well-known/est/simpleenroll Device certificate enrollment
GET /.well-known/est/cacerts CA certificate chain (PKCS#7)
```
Full CRUD is available for certificates, agents, issuers, targets, teams, owners, policies, profiles, agent groups, notifications, and audit events. See the [OpenAPI spec](api/openapi.yaml) or [Feature Inventory](docs/features.md) for the complete endpoint reference.
| Guide | Description |
|-------|-------------|
| [Why certctl?](docs/why-certctl.md) | How certctl compares to open-source and enterprise certificate management platforms |
| [Concepts](docs/concepts.md) | TLS certificates explained from scratch — for beginners who know nothing about certs |
| [Quick Start](docs/quickstart.md) | Extended quickstart — dashboard, API, CLI, discovery, stakeholder demo flow |
| [Advanced Demo](docs/demo-advanced.md) | Issue a certificate end-to-end with technical deep-dives |
| [Architecture](docs/architecture.md) | System design, data flow diagrams, security model |
| [Feature Inventory](docs/features.md) | Complete reference of all V2 capabilities, API endpoints, and configuration |
| [Configuration Reference](docs/features.md) | All 39 environment variables across server, agent, and connector config |
| [Connectors](docs/connectors.md) | Build custom issuer, target, and notifier connectors |
| [Compliance Mapping](docs/compliance.md) | SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides |
| [Migrate from Certbot](docs/migrate-from-certbot.md) | Step-by-step migration from Certbot/Let's Encrypt cron jobs |
| [Migrate from acme.sh](docs/migrate-from-acmesh.md) | Migration guide for acme.sh users with DNS-01 scripts |
| [certctl for cert-manager Users](docs/certctl-for-cert-manager-users.md) | Using certctl alongside cert-manager for non-Kubernetes infrastructure |
| [OpenAPI 3.1 Spec](api/openapi.yaml) | 97 operations, full request/response schemas |
## CLI
@@ -439,38 +232,26 @@ go install github.com/shankar0123/certctl/cmd/cli@latest
export CERTCTL_SERVER_URL=http://localhost:8443
export CERTCTL_API_KEY=your-api-key
# Certificate commands
# Usage
certctl-cli certs list # List all certificates
certctl-cli certs get mc-api-prod # Get certificate details
certctl-cli certs renew mc-api-prod # Trigger renewal
certctl-cli certs revoke mc-api-prod --reason keyCompromise
# Agent and job commands
certctl-cli agents list # List registered agents
certctl-cli jobs list # List jobs
certctl-cli jobs cancel job-123 # Cancel a pending job
# Operations
certctl-cli status # Server health + summary stats
certctl-cli import certs.pem # Bulk import from PEM file
# Output formats
certctl-cli certs list --format json # JSON output (default: table)
```
## MCP Server (AI Integration)
certctl ships a standalone MCP (Model Context Protocol) server that exposes all 80 API endpoints as tools for AI assistants — Claude, Cursor, Windsurf, OpenClaw, VS Code Copilot, and any MCP-compatible client.
certctl ships a standalone MCP (Model Context Protocol) server that exposes all API endpoints as tools for AI assistants — Claude, Cursor, Windsurf, OpenClaw, VS Code Copilot, and any MCP-compatible client.
```bash
# Install
# Install and run
go install github.com/shankar0123/certctl/cmd/mcp-server@latest
# Configure
export CERTCTL_SERVER_URL=http://localhost:8443
export CERTCTL_API_KEY=your-api-key
# Run (stdio transport — add to your AI client config)
mcp-server
```
@@ -489,73 +270,44 @@ mcp-server
}
```
## Security
certctl is designed with a security-first architecture. Agents generate ECDSA P-256 keys locally — private keys never touch the control plane. API key auth is enforced by default with SHA-256 hashing and constant-time comparison. CORS is deny-by-default. All connector scripts are validated against shell injection. The network scanner filters reserved IP ranges (SSRF protection). Scheduler loops use atomic idempotency guards. Every API call is recorded to an immutable audit trail with actor attribution, SHA-256 body hash, and latency tracking. See the [Architecture Guide](docs/architecture.md) for the full security model.
## Development
```bash
make build # Build server + agent binaries
make test # Run tests
make lint # golangci-lint (11 linters)
govulncheck ./... # Vulnerability scan
make docker-up # Start Docker Compose stack
```
CI runs on every push: `go vet`, `go test -race`, `golangci-lint`, `govulncheck`, and per-layer coverage thresholds (service 55%, handler 60%, domain 40%, middleware 30%). Frontend CI runs TypeScript type checking, Vitest tests, and Vite production build.
## Roadmap
### V1 (v1.0.0)
### V1 (v1.0.0) — Shipped
Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector, agent-side key generation, API auth + rate limiting, React dashboard, CI pipeline with coverage gates, Docker images on GHCR.
### V2: Operational Maturity
### V2: Operational Maturity — Shipped
30+ milestones, 1,500+ tests. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01, step-ca, Vault PKI, DigiCert CertCentral, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, IIS targets. RFC 5280 revocation with CRL + OCSP. Certificate profiles, ownership tracking, approval workflows. Filesystem and network certificate discovery. Prometheus metrics, dashboard charts, agent fleet overview. EST server (RFC 7030), ACME ARI (RFC 9702), certificate export, S/MIME support, Helm chart, MCP server, CLI, scheduled digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). See the [Feature Inventory](docs/features.md) for details.
30+ milestones complete, 1,500+ tests. See the [Feature Inventory](docs/features.md) for details on every capability.
**What shipped (all ✅):**
- **Issuers** — Sub-CA mode (enterprise root chains), ACME DNS-01 + DNS-PERSIST-01 (wildcard certs, any DNS provider), step-ca (native /sign API), OpenSSL/Custom CA (script-based signing), ACME ARI (RFC 9702, CA-directed renewal timing)
- **Revocation** — RFC 5280 reason codes, DER-encoded X.509 CRL, embedded OCSP responder, short-lived cert exemption
- **Profiles + Ownership** — certificate profiles (key types, max TTL, crypto constraints), ownership tracking (owners + teams), dynamic agent groups, interactive renewal approval
- **GUI Operations** — bulk renew/revoke/reassign, deployment timeline, inline policy editor, target wizard, audit export (CSV/JSON), short-lived credentials view
- **Discovery** — filesystem scanning (PEM/DER) + network TLS scanning (CIDR ranges), triage workflow (claim/dismiss), network scan target management
- **Observability** — Prometheus + JSON metrics, 5 stats API endpoints, dashboard charts (heatmap, trends, distribution), agent fleet overview, structured logging
- **EST Server** (RFC 7030) — device/WiFi certificate enrollment, PKCS#7 wire format, configurable issuer + profile binding
- **MCP Server** — 78 API operations as AI tools for Claude, Cursor, and any MCP-compatible client
- **CLI** — 10 subcommands (list/get/renew/revoke certs, list agents/jobs, import, status, health, metrics), JSON/table output
- **Notifications** — Email (SMTP), Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie connectors
- **API Enhancements** — sparse fields, sort, time-range filters, cursor pagination, immutable API audit logging
- **Compliance Mapping** — SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides
- **Post-Deployment TLS Verification** — agent-side TLS probe confirms the target is serving the correct certificate by SHA-256 fingerprint match, verification status visible in deployment timeline
- **Traefik + Caddy Targets** — Traefik (file provider, auto-reload) and Caddy (Admin API hot-reload or file-based), both in target wizard GUI
- **Certificate Export** — PEM (JSON or file download) and PKCS#12 formats, private keys never included (agent-side only), audit trail, GUI export buttons
- **S/MIME Support** — EKU-aware issuance (emailProtection, codeSigning, timeStamping), adaptive KeyUsage flags, email SAN routing, EKU badges in GUI
- **ACME ARI (RFC 9702)** — CA-directed renewal timing: the CA tells certctl the optimal renewal window, gracefully degrading to fixed thresholds when ARI is unavailable
- **Scheduled Certificate Digest** — HTML email digests with certificate stats, expiration timeline, job trends, and agent health; configurable daily/hourly/weekly briefings via SMTP
- **Helm Chart** — Production-ready Kubernetes with server Deployment, PostgreSQL StatefulSet with PVC, Agent DaemonSet, security contexts, resource limits, optional Ingress
**Also shipped:**
- Issuer catalog page (see all supported CAs, configure from dashboard)
- Vault PKI and DigiCert CertCentral issuer connectors (Beta)
- Turnkey deployment examples (ACME+NGINX, wildcard+DNS-01, private CA+Traefik, step-ca+HAProxy, multi-issuer)
- Migration guides (Certbot, acme.sh, cert-manager complement)
- One-line agent install script with cross-compiled binaries
**Coming in v2.1.0:**
- Dynamic issuer and target configuration via GUI (no env var restarts)
- First-run onboarding wizard
**Coming in v2.1.0:** Dynamic issuer and target configuration via GUI (no env var restarts), first-run onboarding wizard.
### V3: certctl Pro
Team access controls, identity provider integration, enterprise deployment targets, compliance and risk scoring, advanced fleet operations, event-driven architecture, advanced search, real-time operational views.
Team access controls and identity provider integration (OIDC/SSO). Role-based access control with profile-gating. Event-driven architecture (NATS) with real-time operational views. Advanced search DSL, compliance and risk scoring, bulk fleet operations.
### V4+: Cloud, Scale & Passive Discovery
Passive network discovery (TLS listener), Kubernetes integration (cert-manager external issuer, Secrets target), cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support (Google CAS, EJBCA, Sectigo), and platform-scale features (Terraform provider, multi-tenancy, HSM support).
## Examples
Turnkey Docker Compose configurations for common scenarios — pick the one closest to your setup and have it running in 2 minutes.
| Example | Scenario |
|---------|----------|
| [`examples/acme-nginx/`](examples/acme-nginx/) | Let's Encrypt + NGINX, HTTP-01 challenges |
| [`examples/acme-wildcard-dns01/`](examples/acme-wildcard-dns01/) | Wildcard certs via DNS-01 (Cloudflare hook included) |
| [`examples/private-ca-traefik/`](examples/private-ca-traefik/) | Local CA (self-signed or sub-CA) + Traefik file provider |
| [`examples/step-ca-haproxy/`](examples/step-ca-haproxy/) | Smallstep step-ca + HAProxy combined PEM |
| [`examples/multi-issuer/`](examples/multi-issuer/) | ACME for public + Local CA for internal, one dashboard |
Each directory contains a `docker-compose.yml` and a `README.md` explaining the scenario, prerequisites, and customization.
## License
Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not offer certctl as a managed/hosted certificate management service to third parties. The BSL 1.1 license converts automatically to Apache 2.0 on March 1, 2033, providing perpetual freedom.
For licensing inquiries: certctl@proton.me
---
If certctl solves a problem you have, [star the repo](https://github.com/shankar0123/certctl) to help others find it. Questions, bugs, or feature requests — [open an issue](https://github.com/shankar0123/certctl/issues).
docs/architecture.md
+1 -1
View File
@@ -417,7 +417,7 @@ The agent deploys certificates using target connectors. Each connector knows how
- **Apache httpd**: Writes separate cert/chain/key files, validates with `apachectl configtest`, graceful reload
- **HAProxy**: Builds a combined PEM file (cert + chain + key), optionally validates config, reloads via systemctl or signal
- **F5 BIG-IP** (planned): A proxy agent in the same network zone calls the iControl REST API to upload certificate and update SSL profile bindings. The server assigns the work; the proxy agent executes it.
- **IIS** (planned, dual-mode): (1) Agent-local (recommended) — a Windows agent on the IIS box runs PowerShell `Import-PfxCertificate` + `Set-WebBinding` directly. (2) Proxy agent WinRM — for agentless IIS targets, a nearby Windows agent reaches the IIS box via WinRM.
- **IIS** (implemented, dual-mode): (1) Agent-local (recommended) — a Windows agent on the IIS box runs PowerShell `Import-PfxCertificate` + `Set-WebBinding` directly with PFX conversion and SHA-1 thumbprint computation. (2) Proxy agent WinRM — for agentless IIS targets, a nearby Windows agent reaches the IIS box via WinRM.
The agent handles both the certificate (public) and the private key (read from local key store at `CERTCTL_KEY_DIR`). The control plane never sees the private key and never initiates outbound connections to agents or targets (pull-only model).
docs/connectors.md
+25 -12
View File
@@ -23,7 +23,7 @@ Connectors extend certctl to integrate with external systems for certificate iss
- [Built-in: Traefik](#built-in-traefik)
- [Built-in: Caddy](#built-in-caddy)
- [F5 BIG-IP (Interface Only)](#f5-big-ip-interface-only)
- [IIS (Interface Only, Dual-Mode)](#iis-interface-only-dual-mode)
- [IIS (Implemented, Dual-Mode)](#iis-implemented-dual-mode)
4. [Notifier Connector](#notifier-connector)
- [Interface](#interface-2)
5. [Registering a Connector](#registering-a-connector)
@@ -52,7 +52,7 @@ Connectors extend certctl to integrate with external systems for certificate iss
Three types of connectors:
1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA implemented; additional CA integrations planned)
2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy implemented; F5 via proxy agent, IIS dual-mode interface only; additional cloud and network targets planned)
2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy, IIS implemented; F5 via proxy agent planned; additional cloud and network targets planned)
3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie implemented)
All connectors accept JSON configuration at initialization, support config validation, and are registered in the service layer. Issuer connectors run on the control plane; target connectors run on agents. For network appliances where agents can't be installed, a **proxy agent** in the same network zone handles deployment — the server never initiates outbound connections.
@@ -611,28 +611,41 @@ Note: F5 credentials are stored on the proxy agent, not on the control plane ser
Location: `internal/connector/target/f5/f5.go`
### IIS (Interface Only, Dual-Mode)
### IIS (Implemented, Dual-Mode)
The IIS target connector supports two planned deployment modes:
The IIS target connector supports two deployment modes — agent-local (recommended) and proxy agent WinRM for agentless targets.
**Agent-local (recommended):** A Windows agent runs directly on the IIS server and deploys certificates using PowerShell — `Import-PfxCertificate` to install into the certificate store and `Set-WebBinding` to bind to the IIS site. This is the preferred approach: no remote access needed, no credential management, same pull-based model as NGINX/Apache/HAProxy.
**Agent-local (recommended):** A Windows agent runs directly on the IIS server and deploys certificates using PowerShell — `Import-PfxCertificate` to install into the certificate store and `Set-WebBinding` to bind to the IIS site. The agent handles PEM-to-PFX conversion via `go-pkcs12`, computes SHA-1 thumbprint from the certificate, and executes parameterized PowerShell scripts for injection-safe binding management. This is the preferred approach: no remote access needed, no credential management, same pull-based model as NGINX/Apache/HAProxy.
**Proxy agent WinRM (for agentless targets):** For Windows servers where you don't want to install an agent, a nearby Windows agent acts as a proxy and reaches the IIS box via WinRM. The proxy agent picks up the deployment job, transfers the PFX bundle over WinRM, and runs the PowerShell commands remotely. WinRM credentials are stored on the proxy agent, not on the control plane.
Configuration (defined, not yet functional):
Configuration:
```json
{
"mode": "local",
"hostname": "iis-server.example.com",
"site_name": "Default Web Site",
"cert_store": "WebHosting",
"winrm_host": "",
"winrm_username": "",
"winrm_password": "",
"winrm_use_https": true
"port": 443,
"sni": true,
"ip_address": "*",
"binding_info": "IP:443:iis-server.example.com"
}
```
When `mode` is `"local"`, the `winrm_*` fields are ignored. When `mode` is `"proxy"`, the agent connects to the remote IIS server via WinRM using the provided credentials.
**Configuration Fields:**
- `hostname` (string, required): IIS server hostname or FQDN
- `site_name` (string, required): IIS website name (e.g., "Default Web Site")
- `cert_store` (string, required): Certificate store for import (e.g., "WebHosting", "My")
- `port` (number, default 443): HTTPS binding port
- `sni` (boolean, default true): Enable Server Name Indication (SNI)
- `ip_address` (string, default "*"): Specific IP to bind to, or "*" for all IPs
- `binding_info` (string, optional): Custom binding string for advanced scenarios
**Security Model:**
- PFX files are transient — generated with random passwords, deleted after import
- PowerShell commands are parameterized (no string interpolation) to prevent injection
- Field names are regex-validated before script execution
- Certificate thumbprints computed via SHA-1 for IIS binding lookups
Location: `internal/connector/target/iis/iis.go`
docs/testing-guide.md
+132
View File
@@ -46,6 +46,7 @@ Comprehensive manual testing playbook. Every test has a concrete command, an exp
- [Part 39: DigiCert Connector (M37)](#part-39-digicert-connector-m37)
- [Part 40: Issuer Catalog Page (M33)](#part-40-issuer-catalog-page-m33)
- [Part 41: Frontend Audit Fixes](#part-41-frontend-audit-fixes)
- [Part 42: IIS Target Connector (M39)](#part-42-iis-target-connector-m39)
- [Release Sign-Off](#release-sign-off)
---
@@ -5557,6 +5558,137 @@ Comprehensive frontend coverage audit closed 60 gaps between backend capabilitie
---
## Part 42: IIS Target Connector (M39)
The IIS target connector (M39) brings Windows infrastructure lifecycle management to certctl. Dual-mode implementation: agent-local PowerShell (primary) for servers with certctl agent, proxy agent WinRM for agentless Windows targets. Full test suite (28 tests) with mock executor pattern for cross-platform testing. Supports PEM-to-PFX conversion, SHA-1 thumbprint computation, and parameterized PowerShell execution.
### Test Suite Coverage
| Layer | Test Count | Focus | Cross-Platform |
|-------|-----------|-------|-----------------|
| ValidateConfig | 9 | Field validation, defaults, regex enforcement | Yes |
| DeployCertificate | 7 | PFX conversion, script execution, error handling | Yes |
| ValidateDeployment | 5 | Thumbprint verification, binding checks | Mock executor |
| PFX Conversion | 4 | Certificate chain handling, password generation | Yes |
| Helpers | 3 | Thumbprint computation, Windows time conversion | Yes |
| **Total** | **28** | | **26 pass, 2 skip on non-Windows** |
### Automated Tests (qa-smoke-test.sh Part 42)
| # | Test | Assertion |
|---|------|-----------|
| 42.1 | IIS connector imports without error | `internal/connector/target/iis/` builds cleanly |
| 42.2 | ValidateConfig rejects missing hostname | Validation fails when `hostname` absent |
| 42.3 | ValidateConfig rejects missing site_name | Validation fails when `site_name` absent |
| 42.4 | ValidateConfig applies defaults | `port` defaults to 443, `ip_address` to "*" |
| 42.5 | ValidateConfig validates field regex | Rejects field names with invalid characters |
| 42.6 | PEM-to-PFX conversion succeeds | PKCS#12 bundle created with random password |
| 42.7 | SHA-1 thumbprint computed correctly | Matches Go crypto/sha1 output, hex-encoded |
| 42.8 | PowerShell script is parameterized | No unescaped interpolation in generated commands |
| 42.9 | Mock executor pattern works cross-platform | Tests pass on Linux/macOS via mock executor |
| 42.10 | DeployCertificate calls Import-PfxCertificate | PowerShell command includes correct cert store |
| 42.11 | DeployCertificate calls Set-WebBinding | PowerShell command includes site name + thumbprint |
| 42.12 | ValidateDeployment executes Get-IISSiteBinding | Thumbprint comparison happens post-deployment |
| 42.13 | Error cases logged and propagated | TLS verify failure, script timeout errors handled |
| 42.14 | Windows time conversion helpers work | FileTime ↔ time.Time round-trip accurate |
### Manual Tests (Windows Only)
These tests require a real Windows Server 2019+ environment with IIS 10+. Skip on non-Windows platforms.
**42.M1: Agent-Local Deployment — Happy Path**
1. Provision a Windows Server 2019+ VM with IIS installed
2. Download and install certctl-agent binary for windows-amd64
3. Register agent with certctl server via heartbeat endpoint
4. Create IIS target in certctl dashboard:
```json
{
"hostname": "iis-server.local",
"site_name": "Default Web Site",
"cert_store": "WebHosting",
"port": 443,
"sni": true,
"ip_address": "*"
}
```
5. Issue a certificate (e.g., via Local CA)
6. Create deployment job targeting the IIS target
7. Agent polls work endpoint, executes PowerShell
8. Verify on IIS: `Get-IISSiteBinding` shows new binding with correct thumbprint
9. Verify in dashboard: Deployment job shows status=Completed, verified_at timestamp present
**PASS if** certificate deployed to IIS binding with matching thumbprint, deployment job shows Completed with verification success.
**42.M2: Agent-Local Deployment — Renewal**
1. On the same IIS target, trigger renewal of the certificate
2. Verify old certificate remains bound during renewal (until new one succeeds)
3. Verify new certificate is imported and bound after deployment
4. Verify old binding removed or updated in IIS
**PASS if** renewal completes without downtime, old binding replaced with new.
**42.M3: PFX Import to WebHosting Store**
1. Manually generate a test PKCS#12 certificate
2. Via certctl-agent on Windows, verify PowerShell can import to WebHosting store:
```powershell
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import([System.IO.File]::ReadAllBytes("C:\temp\test.pfx"), $password, "Exportable")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("WebHosting", "LocalMachine")
$store.Open("MaxAllowed")
$store.Add($pfx)
```
3. Verify certificate appears in IIS Certificate Manager
**PASS if** certificate imports to WebHosting store successfully.
**42.M4: Binding Verification — Thumbprint Match**
1. Deploy a certificate to an IIS site via certctl
2. Manually run on IIS server:
```powershell
Get-IISSiteBinding -Name "Default Web Site" | Select-Object Thumbprint
```
3. Verify thumbprint matches certificate's SHA-1 hash (as shown in certctl GUI)
**PASS if** thumbprints match exactly (hex-encoded, no colons).
**42.M5: Error Handling — Invalid Site Name**
1. Create IIS target with non-existent site name (e.g., "NonExistentSite")
2. Trigger deployment
3. Verify job fails with error message about invalid site
4. Verify error is logged in agent and audit trail
**PASS if** error handled gracefully, job marked Failed with reason.
**42.M6: Field Validation — Config Injection Attempt**
1. Try to create IIS target with site_name containing PowerShell metacharacters:
```json
{
"site_name": "Default Web Site'; Get-Process; #"
}
```
2. Verify regex validation rejects this (field validation error, not API error)
3. Verify no PowerShell execution occurs
**PASS if** injection attempt blocked by field validation.
**42.M7: SNI vs Non-SNI Binding**
1. Create two IIS targets: one with `sni: true`, one with `sni: false`
2. Deploy certificates to both
3. Verify Set-WebBinding with `-SslFlags 1` (SNI) for first target
4. Verify Set-WebBinding without SslFlags (no SNI) for second target
5. Test TLS connection to both sites, verify SNI-enabled site handles multiple domains correctly
**PASS if** SNI bindings configured correctly per target config.
---
## Release Sign-Off
All tests below must pass before tagging v2.1.0. Each row is one individual test from the guide above. The **Method** column indicates whether `qa-smoke-test.sh` covers the test automatically (**Auto**) or requires hands-on verification (**Manual**).
internal/connector/target/iis/iis.go
+504 -86
View File
@@ -2,13 +2,22 @@ package iis
import (
"context"
"crypto/rand"
"crypto/sha1"
"crypto/x509"
"encoding/hex"
"encoding/json"
"encoding/pem"
"fmt"
"log/slog"
"runtime"
"os"
"os/exec"
"regexp"
"strings"
"time"
"github.com/shankar0123/certctl/internal/connector/target"
pkcs12 "software.sslmate.com/src/go-pkcs12"
)
// Config represents the IIS deployment target configuration.
@@ -18,85 +27,178 @@ type Config struct {
SiteName string `json:"site_name"` // IIS site name (e.g., "Default Web Site")
CertStore string `json:"cert_store"` // Windows cert store (e.g., "My", "WebHosting")
BindingInfo string `json:"binding_info"` // Binding info (e.g., "*.example.com")
Port int `json:"port"` // HTTPS port (default 443)
SNI bool `json:"sni"` // Enable Server Name Indication
IPAddress string `json:"ip_address"` // Bind to specific IP (default "*")
}
// PowerShellExecutor abstracts PowerShell command execution for testability.
// On real Windows deployments, the realExecutor calls powershell.exe directly.
// Tests inject a mock executor to verify command construction without Windows.
type PowerShellExecutor interface {
Execute(ctx context.Context, script string) (string, error)
}
// realExecutor calls powershell.exe on the local system.
type realExecutor struct{}
func (e *realExecutor) Execute(ctx context.Context, script string) (string, error) {
cmd := exec.CommandContext(ctx, "powershell.exe", "-NoProfile", "-NonInteractive", "-Command", script)
output, err := cmd.CombinedOutput()
return string(output), err
}
// Connector implements the target.Connector interface for IIS (Internet Information Services).
// This connector runs on Windows agents and manages certificate deployment via IIS.
// This connector runs on Windows agents and manages certificate deployment via PowerShell.
//
// IIS certificate management requires:
// - Windows Server with IIS installed
// - PowerShell execution available
// - Administrative privileges
// - Windows Server with IIS installed
// - PowerShell execution available
// - Administrative privileges
//
// TODO: Implement actual PowerShell command execution for:
// - Certificate import: Import-PfxCertificate
// - IIS binding update: New-WebBinding, Set-WebBinding
// - Validation: Get-WebBinding
// Deployment flow:
// 1. Convert PEM cert+key to PFX (PKCS#12) format via go-pkcs12
// 2. Import PFX to Windows certificate store via Import-PfxCertificate
// 3. Compute SHA-1 thumbprint (IIS certificate identifier)
// 4. Update IIS HTTPS binding via New-WebBinding + AddSslCertificate
// 5. Verify binding is active via Get-WebBinding
type Connector struct {
config *Config
logger *slog.Logger
config *Config
logger *slog.Logger
executor PowerShellExecutor
}
// New creates a new IIS target connector with the given configuration and logger.
// Uses the real PowerShell executor for production deployments.
func New(config *Config, logger *slog.Logger) *Connector {
return &Connector{
config: config,
logger: logger,
config: config,
logger: logger,
executor: &realExecutor{},
}
}
// NewWithExecutor creates a new IIS target connector with an injected executor.
// Used in tests to mock PowerShell execution on non-Windows platforms.
func NewWithExecutor(config *Config, logger *slog.Logger, executor PowerShellExecutor) *Connector {
return &Connector{
config: config,
logger: logger,
executor: executor,
}
}
// validIISName matches safe IIS site names and cert store names.
// Allows alphanumeric, spaces, underscores, hyphens, and dots.
var validIISName = regexp.MustCompile(`^[a-zA-Z0-9 _\-\.]+$`)
// validateIISName checks that an IIS name field contains only safe characters.
// This prevents PowerShell injection via malicious site or store names.
func validateIISName(name, field string) error {
if name == "" {
return fmt.Errorf("%s is required", field)
}
if len(name) > 256 {
return fmt.Errorf("%s exceeds maximum length (256 characters)", field)
}
if !validIISName.MatchString(name) {
return fmt.Errorf("%s contains invalid characters (allowed: alphanumeric, space, underscore, hyphen, dot)", field)
}
return nil
}
// validIPOrWildcard matches valid IP addresses or the wildcard "*".
var validIPOrWildcard = regexp.MustCompile(`^(\*|(\d{1,3}\.){3}\d{1,3})$`)
// ValidateConfig checks that the IIS configuration is valid and accessible.
// It verifies that we're on Windows and that the IIS site exists.
//
// TODO: Implement actual PowerShell checks.
// It verifies field values, PowerShell availability, and optionally checks that
// the IIS site exists and the cert store is accessible.
func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
var cfg Config
if err := json.Unmarshal(rawConfig, &cfg); err != nil {
return fmt.Errorf("invalid IIS config: %w", err)
}
if cfg.SiteName == "" || cfg.CertStore == "" {
return fmt.Errorf("IIS site_name and cert_store are required")
// Validate required fields
if err := validateIISName(cfg.SiteName, "site_name"); err != nil {
return err
}
if err := validateIISName(cfg.CertStore, "cert_store"); err != nil {
return err
}
// Verify we're on Windows
if runtime.GOOS != "windows" {
return fmt.Errorf("IIS connector only runs on Windows, got %s", runtime.GOOS)
// Apply defaults
if cfg.Port == 0 {
cfg.Port = 443
}
if cfg.IPAddress == "" {
cfg.IPAddress = "*"
}
// Validate port range
if cfg.Port < 1 || cfg.Port > 65535 {
return fmt.Errorf("port must be between 1 and 65535, got %d", cfg.Port)
}
// Validate IP address format
if !validIPOrWildcard.MatchString(cfg.IPAddress) {
return fmt.Errorf("ip_address must be a valid IPv4 address or '*', got %q", cfg.IPAddress)
}
// Validate binding_info if provided (safe characters only)
if cfg.BindingInfo != "" {
if len(cfg.BindingInfo) > 512 {
return fmt.Errorf("binding_info exceeds maximum length (512 characters)")
}
// Allow typical binding chars: alphanumeric, *, :, ., -
validBinding := regexp.MustCompile(`^[a-zA-Z0-9\*\:\.\-]+$`)
if !validBinding.MatchString(cfg.BindingInfo) {
return fmt.Errorf("binding_info contains invalid characters")
}
}
c.logger.Info("validating IIS configuration",
"site_name", cfg.SiteName,
"cert_store", cfg.CertStore,
"hostname", cfg.Hostname)
"hostname", cfg.Hostname,
"port", cfg.Port)
// TODO: Implement PowerShell check
// In production:
// 1. Run PowerShell command: Get-IISSite -Name {SiteName}
// 2. Verify site exists and is running
// 3. Check cert store: Get-Item -Path "Cert:\LocalMachine\{CertStore}"
// Verify PowerShell is available
if _, err := exec.LookPath("powershell.exe"); err != nil {
return fmt.Errorf("powershell.exe not found in PATH: %w", err)
}
c.logger.Warn("IIS validation not yet fully implemented",
"site_name", cfg.SiteName)
// Verify IIS site exists
siteCheckScript := fmt.Sprintf(`Get-Website -Name '%s' | Select-Object -ExpandProperty Name`, cfg.SiteName)
output, err := c.executor.Execute(ctx, siteCheckScript)
if err != nil {
return fmt.Errorf("IIS site %q not found or inaccessible: %s (error: %w)", cfg.SiteName, strings.TrimSpace(output), err)
}
// Verify cert store is accessible
storeCheckScript := fmt.Sprintf(`Test-Path 'Cert:\LocalMachine\%s'`, cfg.CertStore)
output, err = c.executor.Execute(ctx, storeCheckScript)
if err != nil || !strings.Contains(strings.TrimSpace(output), "True") {
return fmt.Errorf("certificate store %q is not accessible: %s", cfg.CertStore, strings.TrimSpace(output))
}
c.config = &cfg
c.logger.Info("IIS configuration validated",
"site_name", cfg.SiteName,
"cert_store", cfg.CertStore)
return nil
}
// DeployCertificate imports a certificate to the Windows certificate store and updates
// the IIS binding to use the new certificate.
//
// The IIS deployment process (via PowerShell):
// 1. Create a temporary PFX file from the certificate and existing private key
// (Note: The private key is managed by the agent, not provided by the control plane)
// 2. Import the PFX to the Windows certificate store (My store by default)
// 3. Get the certificate thumbprint
// 4. Update the IIS binding to use the new certificate by thumbprint
// 5. Verify the binding is active
//
// TODO: Implement actual PowerShell commands:
// - Import-PfxCertificate -FilePath {pfxPath} -CertStoreLocation "Cert:\LocalMachine\My"
// - Get-ChildItem -Path "Cert:\LocalMachine\My" | Where {$_.Subject -eq "CN=..."}
// - Set-WebBinding -Name {SiteName} -BindingInformation "{BindingInfo}" -Protocol https -SslFlags 1 -CertificateThumbprint {thumbprint}
// Deployment flow:
// 1. Convert PEM cert+key+chain to PFX format (go-pkcs12 with random password)
// 2. Write PFX to temp file (cleaned up on exit, even on error)
// 3. Compute SHA-1 thumbprint from DER cert (matches Windows certutil output)
// 4. Import PFX to Windows cert store via Import-PfxCertificate
// 5. Update IIS HTTPS binding via New-WebBinding + AddSslCertificate
// 6. Return result with thumbprint in metadata
func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
c.logger.Info("deploying certificate to IIS",
"site_name", c.config.SiteName,
@@ -104,44 +206,182 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
startTime := time.Now()
// TODO: Implement IIS certificate deployment
// In production:
// 1. Create temporary PFX from CertPEM and ChainPEM
// (Private key should already exist on the agent)
// 2. Import certificate:
// PowerShell: Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation "Cert:\LocalMachine\{CertStore}" -Password $password
// 3. Get certificate thumbprint:
// PowerShell: (Get-ChildItem -Path "Cert:\LocalMachine\{CertStore}" | Where {$_.Subject -like "*CN=*"}).Thumbprint
// 4. Update IIS binding:
// PowerShell: Set-WebBinding -Name "{SiteName}" -BindingInformation "{BindingInfo}:443:*.example.com" -Protocol https -CertificateThumbprint $thumbprint
// 5. Remove temporary PFX file
// Validate we have a private key (required for PFX creation)
if request.KeyPEM == "" {
errMsg := "private key (KeyPEM) is required for IIS deployment"
c.logger.Error("deployment failed", "error", errMsg)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 1: Create PFX from PEM inputs
pfxPassword, err := generateRandomPassword(32)
if err != nil {
errMsg := fmt.Sprintf("failed to generate PFX password: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
pfxData, err := createPFX(request.CertPEM, request.KeyPEM, request.ChainPEM, pfxPassword)
if err != nil {
errMsg := fmt.Sprintf("failed to create PFX: %v", err)
c.logger.Error("PFX creation failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 2: Write PFX to temp file
tmpFile, err := os.CreateTemp("", "certctl-*.pfx")
if err != nil {
errMsg := fmt.Sprintf("failed to create temp PFX file: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
pfxPath := tmpFile.Name()
defer os.Remove(pfxPath) // Always clean up temp PFX
if _, err := tmpFile.Write(pfxData); err != nil {
tmpFile.Close()
errMsg := fmt.Sprintf("failed to write temp PFX file: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
tmpFile.Close()
// Step 3: Compute thumbprint (SHA-1 of DER-encoded cert — matches Windows certutil)
thumbprint, err := computeThumbprint(request.CertPEM)
if err != nil {
errMsg := fmt.Sprintf("failed to compute certificate thumbprint: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
c.logger.Debug("certificate thumbprint computed", "thumbprint", thumbprint)
// Step 4: Import PFX to Windows certificate store
importScript := fmt.Sprintf(
`$password = ConvertTo-SecureString -String '%s' -AsPlainText -Force; `+
`Import-PfxCertificate -FilePath '%s' -CertStoreLocation 'Cert:\LocalMachine\%s' -Password $password`,
pfxPassword, pfxPath, c.config.CertStore,
)
output, err := c.executor.Execute(ctx, importScript)
if err != nil {
errMsg := fmt.Sprintf("PFX import failed: %v (output: %s)", err, strings.TrimSpace(output))
c.logger.Error("PFX import failed",
"error", err,
"output", strings.TrimSpace(output),
"cert_store", c.config.CertStore)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
c.logger.Info("PFX imported to certificate store",
"cert_store", c.config.CertStore,
"thumbprint", thumbprint)
// Step 5: Update IIS HTTPS binding
port := c.config.Port
if port == 0 {
port = 443
}
ipAddress := c.config.IPAddress
if ipAddress == "" {
ipAddress = "*"
}
hostHeader := c.config.BindingInfo
sniFlag := 0
if c.config.SNI {
sniFlag = 1
}
bindingScript := fmt.Sprintf(
// Remove existing HTTPS binding on this port (if any), then create new one
`$existing = Get-WebBinding -Name '%s' -Protocol 'https' -Port %d -ErrorAction SilentlyContinue; `+
`if ($existing) { $existing | Remove-WebBinding }; `+
`New-WebBinding -Name '%s' -Protocol 'https' -Port %d -IPAddress '%s' -HostHeader '%s' -SslFlags %d; `+
`$binding = Get-WebBinding -Name '%s' -Protocol 'https' -Port %d; `+
`$binding.AddSslCertificate('%s', '%s')`,
c.config.SiteName, port,
c.config.SiteName, port, ipAddress, hostHeader, sniFlag,
c.config.SiteName, port,
thumbprint, c.config.CertStore,
)
output, err = c.executor.Execute(ctx, bindingScript)
if err != nil {
errMsg := fmt.Sprintf("IIS binding update failed: %v (output: %s)", err, strings.TrimSpace(output))
c.logger.Error("IIS binding update failed",
"error", err,
"output", strings.TrimSpace(output),
"site_name", c.config.SiteName)
// Cert is imported but binding failed — partial success
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
DeployedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": thumbprint,
"cert_store": c.config.CertStore,
"import_success": "true",
"binding_error": strings.TrimSpace(output),
},
}, fmt.Errorf("%s", errMsg)
}
deploymentDuration := time.Since(startTime)
c.logger.Warn("IIS deployment not yet implemented",
"site_name", c.config.SiteName)
c.logger.Info("certificate deployed to IIS successfully",
"duration", deploymentDuration.String(),
"site_name", c.config.SiteName,
"thumbprint", thumbprint)
return &target.DeploymentResult{
Success: true,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
DeploymentID: fmt.Sprintf("iis-%d", time.Now().Unix()),
Message: "Certificate deployment to IIS initiated (stub)",
DeploymentID: fmt.Sprintf("iis-%s-%d", thumbprint[:8], time.Now().Unix()),
Message: "Certificate imported and IIS binding updated successfully",
DeployedAt: time.Now(),
Metadata: map[string]string{
"hostname": c.config.Hostname,
"site_name": c.config.SiteName,
"cert_store": c.config.CertStore,
"thumbprint": thumbprint,
"port": fmt.Sprintf("%d", port),
"sni": fmt.Sprintf("%t", c.config.SNI),
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
},
}, nil
}
// ValidateDeployment verifies that the certificate is properly deployed in IIS.
// It checks the IIS binding configuration to ensure it's active with the correct certificate.
//
// TODO: Implement actual PowerShell validation.
// PowerShell command:
// - Get-IISSiteBinding -Name {SiteName} | Where {$_.protocol -eq "https"}
// It checks the IIS binding to ensure it's active with the correct certificate thumbprint.
func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
c.logger.Info("validating IIS deployment",
"certificate_id", request.CertificateID,
@@ -150,33 +390,211 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid
startTime := time.Now()
// TODO: Implement IIS deployment validation
// In production:
// 1. Query IIS binding status:
// PowerShell: Get-WebBinding -Name "{SiteName}" -Protocol "https"
// 2. Verify binding exists and is active
// 3. Extract certificate thumbprint from binding
// 4. Query certificate store to verify thumbprint matches expected certificate
// 5. Check certificate validity dates and key match
port := c.config.Port
if port == 0 {
port = 443
}
// Query IIS binding for HTTPS on the configured port
bindingScript := fmt.Sprintf(
`$binding = Get-WebBinding -Name '%s' -Protocol 'https' -Port %d -ErrorAction SilentlyContinue; `+
`if ($binding) { $binding.certificateHash } else { 'NO_BINDING' }`,
c.config.SiteName, port,
)
output, err := c.executor.Execute(ctx, bindingScript)
if err != nil {
errMsg := fmt.Sprintf("failed to query IIS binding: %v (output: %s)", err, strings.TrimSpace(output))
c.logger.Error("validation failed", "error", err, "output", strings.TrimSpace(output))
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
bindingHash := strings.TrimSpace(output)
if bindingHash == "NO_BINDING" || bindingHash == "" {
errMsg := fmt.Sprintf("no HTTPS binding found on IIS site %q port %d", c.config.SiteName, port)
c.logger.Error("validation failed", "error", errMsg)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Verify the certificate exists in the store
certCheckScript := fmt.Sprintf(
`$cert = Get-ChildItem -Path 'Cert:\LocalMachine\%s\%s' -ErrorAction SilentlyContinue; `+
`if ($cert -and $cert.NotAfter -gt (Get-Date)) { 'VALID' } `+
`elseif ($cert) { 'EXPIRED' } `+
`else { 'NOT_FOUND' }`,
c.config.CertStore, bindingHash,
)
output, err = c.executor.Execute(ctx, certCheckScript)
if err != nil {
errMsg := fmt.Sprintf("failed to verify certificate in store: %v", err)
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
certStatus := strings.TrimSpace(output)
validationDuration := time.Since(startTime)
c.logger.Warn("IIS validation not yet implemented",
"site_name", c.config.SiteName)
switch certStatus {
case "VALID":
c.logger.Info("IIS deployment validated successfully",
"duration", validationDuration.String(),
"thumbprint", bindingHash)
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: "Certificate is bound to IIS site and valid",
ValidatedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": bindingHash,
"site_name": c.config.SiteName,
"cert_store": c.config.CertStore,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: "Certificate deployment validation initiated (stub)",
ValidatedAt: time.Now(),
Metadata: map[string]string{
"hostname": c.config.Hostname,
"site_name": c.config.SiteName,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
case "EXPIRED":
errMsg := fmt.Sprintf("certificate %s is expired in store %q", bindingHash, c.config.CertStore)
c.logger.Error("validation failed: certificate expired", "thumbprint", bindingHash)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": bindingHash,
"status": "expired",
},
}, fmt.Errorf("%s", errMsg)
default: // NOT_FOUND or unexpected
errMsg := fmt.Sprintf("certificate %s not found in store %q", bindingHash, c.config.CertStore)
c.logger.Error("validation failed: certificate not in store", "thumbprint", bindingHash)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": bindingHash,
"status": "not_found",
},
}, fmt.Errorf("%s", errMsg)
}
}
// executePowerShellCommand will be implemented in V3 when IIS target connector ships.
// Pattern: exec.CommandContext(ctx, "powershell", "-NoProfile", "-Command", psCommand)
// createPFX converts PEM-encoded cert, key, and chain into PKCS#12 (PFX) format.
// IIS requires PFX for certificate import. Uses go-pkcs12 Modern encoder
// with strong encryption (same library used by M27 export service).
func createPFX(certPEM, keyPEM, chainPEM string, password string) ([]byte, error) {
// Parse leaf certificate
certBlock, _ := pem.Decode([]byte(certPEM))
if certBlock == nil || certBlock.Type != "CERTIFICATE" {
return nil, fmt.Errorf("failed to decode certificate PEM")
}
leafCert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse leaf certificate: %w", err)
}
// Parse private key (supports PKCS#8, PKCS#1 RSA, and EC)
keyBlock, _ := pem.Decode([]byte(keyPEM))
if keyBlock == nil {
return nil, fmt.Errorf("failed to decode private key PEM")
}
privateKey, err := parsePrivateKey(keyBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse private key: %w", err)
}
// Parse CA chain certificates (optional)
var caCerts []*x509.Certificate
if chainPEM != "" {
rest := []byte(chainPEM)
for {
var block *pem.Block
block, rest = pem.Decode(rest)
if block == nil {
break
}
if block.Type != "CERTIFICATE" {
continue
}
caCert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse CA certificate: %w", err)
}
caCerts = append(caCerts, caCert)
}
}
// Encode as PKCS#12 with Modern encryption
pfxData, err := pkcs12.Modern.Encode(privateKey, leafCert, caCerts, password)
if err != nil {
return nil, fmt.Errorf("failed to encode PKCS#12: %w", err)
}
return pfxData, nil
}
// parsePrivateKey attempts to parse a DER-encoded private key.
// Tries PKCS#8, PKCS#1 RSA, and EC formats in order.
func parsePrivateKey(der []byte) (interface{}, error) {
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, nil
}
return nil, fmt.Errorf("unsupported private key format")
}
// computeThumbprint calculates the SHA-1 thumbprint of a PEM-encoded certificate.
// IIS uses SHA-1 thumbprints as the primary certificate identifier.
// Returns uppercase hex string matching Windows certutil output.
func computeThumbprint(certPEM string) (string, error) {
block, _ := pem.Decode([]byte(certPEM))
if block == nil || block.Type != "CERTIFICATE" {
return "", fmt.Errorf("failed to decode certificate PEM for thumbprint")
}
hash := sha1.Sum(block.Bytes)
return strings.ToUpper(hex.EncodeToString(hash[:])), nil
}
// generateRandomPassword creates a random alphanumeric password for transient PFX encryption.
// The password is only used between PFX creation and import — it never persists.
func generateRandomPassword(length int) (string, error) {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
b := make([]byte, length)
if _, err := rand.Read(b); err != nil {
return "", fmt.Errorf("failed to read random bytes: %w", err)
}
for i := range b {
b[i] = charset[int(b[i])%len(charset)]
}
return string(b), nil
}
internal/connector/target/iis/iis_test.go
+845
View File
@@ -0,0 +1,845 @@
package iis
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"fmt"
"log/slog"
"math/big"
"os"
"strings"
"testing"
"time"
"github.com/shankar0123/certctl/internal/connector/target"
pkcs12 "software.sslmate.com/src/go-pkcs12"
)
// mockExecutor records PowerShell commands and returns configurable responses.
type mockExecutor struct {
// commands records all scripts passed to Execute in order
commands []string
// responses maps script substrings to (output, error) pairs.
// First matching substring wins.
responses map[string]mockResponse
// defaultOutput is returned when no response matches
defaultOutput string
// defaultErr is returned when no response matches
defaultErr error
}
type mockResponse struct {
output string
err error
}
func newMockExecutor() *mockExecutor {
return &mockExecutor{
responses: make(map[string]mockResponse),
}
}
func (m *mockExecutor) Execute(ctx context.Context, script string) (string, error) {
m.commands = append(m.commands, script)
for substr, resp := range m.responses {
if strings.Contains(script, substr) {
return resp.output, resp.err
}
}
return m.defaultOutput, m.defaultErr
}
func testLogger() *slog.Logger {
return slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
}
// --- ValidateConfig tests ---
func TestIISConnector_ValidateConfig_Success(t *testing.T) {
executor := newMockExecutor()
executor.responses["Get-Website"] = mockResponse{output: "Default Web Site\n", err: nil}
executor.responses["Test-Path"] = mockResponse{output: "True\n", err: nil}
cfg := Config{
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
}
// We need powershell.exe in PATH for LookPath — skip on non-Windows
connector := NewWithExecutor(&cfg, testLogger(), executor)
rawConfig, _ := json.Marshal(cfg)
// On non-Windows, LookPath("powershell.exe") will fail.
// We test the validation logic up to that point by checking the error message.
err := connector.ValidateConfig(context.Background(), rawConfig)
if err != nil {
// If it's just a "powershell not found" error, that's expected on Linux
if strings.Contains(err.Error(), "powershell.exe not found") {
t.Skip("Skipping: powershell.exe not available (non-Windows)")
}
t.Fatalf("ValidateConfig failed: %v", err)
}
}
func TestIISConnector_ValidateConfig_InvalidJSON(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
err := connector.ValidateConfig(context.Background(), json.RawMessage(`{invalid}`))
if err == nil {
t.Fatal("expected error for invalid JSON")
}
if !strings.Contains(err.Error(), "invalid IIS config") {
t.Errorf("expected 'invalid IIS config' in error, got: %v", err)
}
}
func TestIISConnector_ValidateConfig_MissingSiteName(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
cfg := Config{CertStore: "My"}
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err == nil {
t.Fatal("expected error for missing site_name")
}
if !strings.Contains(err.Error(), "site_name") {
t.Errorf("expected error about site_name, got: %v", err)
}
}
func TestIISConnector_ValidateConfig_MissingCertStore(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
cfg := Config{SiteName: "Default Web Site"}
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err == nil {
t.Fatal("expected error for missing cert_store")
}
if !strings.Contains(err.Error(), "cert_store") {
t.Errorf("expected error about cert_store, got: %v", err)
}
}
func TestIISConnector_ValidateConfig_InvalidSiteName_Injection(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
cfg := Config{
SiteName: "Default'; Drop-Database",
CertStore: "My",
}
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err == nil {
t.Fatal("expected error for injection characters in site_name")
}
if !strings.Contains(err.Error(), "invalid characters") {
t.Errorf("expected 'invalid characters' in error, got: %v", err)
}
}
func TestIISConnector_ValidateConfig_InvalidCertStore_Injection(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
cfg := Config{
SiteName: "Default Web Site",
CertStore: "My$(whoami)",
}
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err == nil {
t.Fatal("expected error for injection characters in cert_store")
}
}
func TestIISConnector_ValidateConfig_InvalidPort(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
cfg := Config{
SiteName: "Default Web Site",
CertStore: "My",
Port: 99999,
}
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err == nil {
t.Fatal("expected error for invalid port")
}
if !strings.Contains(err.Error(), "port") {
t.Errorf("expected error about port, got: %v", err)
}
}
func TestIISConnector_ValidateConfig_InvalidIPAddress(t *testing.T) {
connector := NewWithExecutor(&Config{}, testLogger(), newMockExecutor())
cfg := Config{
SiteName: "Default Web Site",
CertStore: "My",
IPAddress: "not_an_ip",
}
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err == nil {
t.Fatal("expected error for invalid IP address")
}
if !strings.Contains(err.Error(), "ip_address") {
t.Errorf("expected error about ip_address, got: %v", err)
}
}
func TestIISConnector_ValidateConfig_DefaultValues(t *testing.T) {
// Test that defaults are applied (port 443, IP *)
executor := newMockExecutor()
executor.responses["Get-Website"] = mockResponse{output: "TestSite\n", err: nil}
executor.responses["Test-Path"] = mockResponse{output: "True\n", err: nil}
cfg := Config{
SiteName: "TestSite",
CertStore: "WebHosting",
// Port and IPAddress intentionally left empty
}
connector := NewWithExecutor(&cfg, testLogger(), executor)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(context.Background(), rawConfig)
if err != nil {
if strings.Contains(err.Error(), "powershell.exe not found") {
t.Skip("Skipping: powershell.exe not available (non-Windows)")
}
t.Fatalf("ValidateConfig failed: %v", err)
}
// Verify defaults were applied
if connector.config.Port != 443 {
t.Errorf("expected default port 443, got %d", connector.config.Port)
}
if connector.config.IPAddress != "*" {
t.Errorf("expected default IP '*', got %s", connector.config.IPAddress)
}
}
// --- DeployCertificate tests ---
// generateTestCertAndKey creates a self-signed ECDSA P-256 cert+key for testing.
func generateTestCertAndKey() (certPEM, keyPEM, chainPEM string, err error) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return "", "", "", err
}
template := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: "test.example.com",
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
BasicConstraintsValid: true,
DNSNames: []string{"test.example.com"},
}
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
return "", "", "", err
}
certPEMStr := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
keyDER, err := x509.MarshalECPrivateKey(key)
if err != nil {
return "", "", "", err
}
keyPEMStr := string(pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}))
// Use the self-signed cert as its own "chain" for testing
chainPEMStr := certPEMStr
return certPEMStr, keyPEMStr, chainPEMStr, nil
}
func TestIISConnector_DeployCertificate_Success(t *testing.T) {
certPEM, keyPEM, chainPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
executor := newMockExecutor()
executor.defaultOutput = "OK"
cfg := &Config{
Hostname: "web01.example.com",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
IPAddress: "*",
}
connector := NewWithExecutor(cfg, testLogger(), executor)
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: keyPEM,
ChainPEM: chainPEM,
})
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("expected success, got: %s", result.Message)
}
// Verify thumbprint is in metadata
if result.Metadata["thumbprint"] == "" {
t.Error("expected thumbprint in metadata")
}
// SHA-1 thumbprint = 40 hex chars uppercase
if len(result.Metadata["thumbprint"]) != 40 {
t.Errorf("expected 40-char thumbprint, got %d", len(result.Metadata["thumbprint"]))
}
// Verify both import and binding scripts were executed
if len(executor.commands) != 2 {
t.Errorf("expected 2 PowerShell commands, got %d", len(executor.commands))
}
// First command should be PFX import
if len(executor.commands) > 0 && !strings.Contains(executor.commands[0], "Import-PfxCertificate") {
t.Errorf("expected Import-PfxCertificate in first command, got: %s", executor.commands[0])
}
// Second command should be binding update
if len(executor.commands) > 1 && !strings.Contains(executor.commands[1], "New-WebBinding") {
t.Errorf("expected New-WebBinding in second command, got: %s", executor.commands[1])
}
// Verify metadata
if result.Metadata["site_name"] != "Default Web Site" {
t.Errorf("expected site_name in metadata")
}
if result.Metadata["cert_store"] != "My" {
t.Errorf("expected cert_store in metadata")
}
if _, ok := result.Metadata["duration_ms"]; !ok {
t.Error("expected duration_ms in metadata")
}
}
func TestIISConnector_DeployCertificate_MissingKeyPEM(t *testing.T) {
certPEM, _, chainPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
connector := NewWithExecutor(&Config{
SiteName: "Default Web Site",
CertStore: "My",
}, testLogger(), newMockExecutor())
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: "", // Missing key
ChainPEM: chainPEM,
})
if err == nil {
t.Fatal("expected error for missing KeyPEM")
}
if result.Success {
t.Fatal("expected failure result")
}
if !strings.Contains(err.Error(), "private key") {
t.Errorf("expected error about private key, got: %v", err)
}
}
func TestIISConnector_DeployCertificate_InvalidCertPEM(t *testing.T) {
_, keyPEM, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test key: %v", err)
}
connector := NewWithExecutor(&Config{
SiteName: "Default Web Site",
CertStore: "My",
}, testLogger(), newMockExecutor())
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: "not a valid cert",
KeyPEM: keyPEM,
ChainPEM: "",
})
if err == nil {
t.Fatal("expected error for invalid cert PEM")
}
if result.Success {
t.Fatal("expected failure result")
}
}
func TestIISConnector_DeployCertificate_InvalidKeyPEM(t *testing.T) {
certPEM, _, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
connector := NewWithExecutor(&Config{
SiteName: "Default Web Site",
CertStore: "My",
}, testLogger(), newMockExecutor())
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: "not a valid key",
ChainPEM: "",
})
if err == nil {
t.Fatal("expected error for invalid key PEM")
}
if result.Success {
t.Fatal("expected failure result")
}
}
func TestIISConnector_DeployCertificate_ImportFails(t *testing.T) {
certPEM, keyPEM, chainPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
executor := newMockExecutor()
executor.responses["Import-PfxCertificate"] = mockResponse{
output: "Access denied",
err: fmt.Errorf("exit status 1"),
}
connector := NewWithExecutor(&Config{
SiteName: "Default Web Site",
CertStore: "My",
}, testLogger(), executor)
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: keyPEM,
ChainPEM: chainPEM,
})
if err == nil {
t.Fatal("expected error when PFX import fails")
}
if result.Success {
t.Fatal("expected failure result")
}
if !strings.Contains(err.Error(), "PFX import failed") {
t.Errorf("expected 'PFX import failed' in error, got: %v", err)
}
}
func TestIISConnector_DeployCertificate_BindingFails(t *testing.T) {
certPEM, keyPEM, chainPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
executor := newMockExecutor()
// Import succeeds
executor.responses["Import-PfxCertificate"] = mockResponse{output: "OK", err: nil}
// Binding fails
executor.responses["New-WebBinding"] = mockResponse{
output: "The website 'Default Web Site' already has a binding",
err: fmt.Errorf("exit status 1"),
}
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
}, testLogger(), executor)
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: keyPEM,
ChainPEM: chainPEM,
})
if err == nil {
t.Fatal("expected error when binding update fails")
}
if result.Success {
t.Fatal("expected failure result")
}
// Partial success: cert was imported but binding failed
if result.Metadata["import_success"] != "true" {
t.Error("expected import_success=true in metadata (cert imported but binding failed)")
}
if result.Metadata["thumbprint"] == "" {
t.Error("expected thumbprint in metadata even on binding failure")
}
}
func TestIISConnector_DeployCertificate_SNIEnabled(t *testing.T) {
certPEM, keyPEM, chainPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
executor := newMockExecutor()
executor.defaultOutput = "OK"
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
SNI: true,
BindingInfo: "test.example.com",
}, testLogger(), executor)
result, err := connector.DeployCertificate(context.Background(), target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: keyPEM,
ChainPEM: chainPEM,
})
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("expected success, got: %s", result.Message)
}
// Verify SNI flag was passed in the binding script
if len(executor.commands) < 2 {
t.Fatal("expected at least 2 commands")
}
bindingCmd := executor.commands[1]
if !strings.Contains(bindingCmd, "-SslFlags 1") {
t.Errorf("expected -SslFlags 1 for SNI, got: %s", bindingCmd)
}
if result.Metadata["sni"] != "true" {
t.Error("expected sni=true in metadata")
}
}
// --- ValidateDeployment tests ---
func TestIISConnector_ValidateDeployment_Success(t *testing.T) {
executor := newMockExecutor()
executor.responses["Get-WebBinding"] = mockResponse{output: "ABC123DEF456\n", err: nil}
executor.responses["Get-ChildItem"] = mockResponse{output: "VALID\n", err: nil}
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
}, testLogger(), executor)
result, err := connector.ValidateDeployment(context.Background(), target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123456",
})
if err != nil {
t.Fatalf("ValidateDeployment failed: %v", err)
}
if !result.Valid {
t.Fatalf("expected valid deployment, got: %s", result.Message)
}
if result.Metadata["thumbprint"] != "ABC123DEF456" {
t.Errorf("expected thumbprint in metadata, got: %s", result.Metadata["thumbprint"])
}
if _, ok := result.Metadata["duration_ms"]; !ok {
t.Error("expected duration_ms in metadata")
}
}
func TestIISConnector_ValidateDeployment_NoBinding(t *testing.T) {
executor := newMockExecutor()
executor.responses["Get-WebBinding"] = mockResponse{output: "NO_BINDING\n", err: nil}
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "TestSite",
CertStore: "My",
Port: 443,
}, testLogger(), executor)
result, err := connector.ValidateDeployment(context.Background(), target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123456",
})
if err == nil {
t.Fatal("expected error when no binding found")
}
if result.Valid {
t.Fatal("expected invalid result")
}
if !strings.Contains(err.Error(), "no HTTPS binding found") {
t.Errorf("expected 'no HTTPS binding found' in error, got: %v", err)
}
}
func TestIISConnector_ValidateDeployment_CertNotInStore(t *testing.T) {
executor := newMockExecutor()
executor.responses["Get-WebBinding"] = mockResponse{output: "DEADBEEF1234\n", err: nil}
executor.responses["Get-ChildItem"] = mockResponse{output: "NOT_FOUND\n", err: nil}
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
}, testLogger(), executor)
result, err := connector.ValidateDeployment(context.Background(), target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123456",
})
if err == nil {
t.Fatal("expected error when cert not in store")
}
if result.Valid {
t.Fatal("expected invalid result")
}
if result.Metadata["status"] != "not_found" {
t.Errorf("expected status=not_found in metadata, got: %s", result.Metadata["status"])
}
}
func TestIISConnector_ValidateDeployment_CertExpired(t *testing.T) {
executor := newMockExecutor()
executor.responses["Get-WebBinding"] = mockResponse{output: "DEADBEEF1234\n", err: nil}
executor.responses["Get-ChildItem"] = mockResponse{output: "EXPIRED\n", err: nil}
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
}, testLogger(), executor)
result, err := connector.ValidateDeployment(context.Background(), target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123456",
})
if err == nil {
t.Fatal("expected error when cert is expired")
}
if result.Valid {
t.Fatal("expected invalid result")
}
if result.Metadata["status"] != "expired" {
t.Errorf("expected status=expired in metadata, got: %s", result.Metadata["status"])
}
}
func TestIISConnector_ValidateDeployment_QueryFails(t *testing.T) {
executor := newMockExecutor()
executor.responses["Get-WebBinding"] = mockResponse{
output: "Permission denied",
err: fmt.Errorf("exit status 1"),
}
connector := NewWithExecutor(&Config{
Hostname: "web01",
SiteName: "Default Web Site",
CertStore: "My",
Port: 443,
}, testLogger(), executor)
result, err := connector.ValidateDeployment(context.Background(), target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123456",
})
if err == nil {
t.Fatal("expected error when query fails")
}
if result.Valid {
t.Fatal("expected invalid result")
}
}
// --- PFX conversion tests (pure Go crypto, runs on any OS) ---
func TestCreatePFX_Success(t *testing.T) {
certPEM, keyPEM, chainPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
pfxData, err := createPFX(certPEM, keyPEM, chainPEM, "testpassword")
if err != nil {
t.Fatalf("createPFX failed: %v", err)
}
if len(pfxData) == 0 {
t.Fatal("expected non-empty PFX data")
}
// Verify PFX is parseable
_, _, _, err = pkcs12.DecodeChain(pfxData, "testpassword")
if err != nil {
t.Fatalf("PFX data is not valid PKCS#12: %v", err)
}
}
func TestCreatePFX_NoChain(t *testing.T) {
certPEM, keyPEM, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
pfxData, err := createPFX(certPEM, keyPEM, "", "testpassword")
if err != nil {
t.Fatalf("createPFX with no chain failed: %v", err)
}
if len(pfxData) == 0 {
t.Fatal("expected non-empty PFX data")
}
}
func TestCreatePFX_InvalidCert(t *testing.T) {
_, keyPEM, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test key: %v", err)
}
_, err = createPFX("not a valid cert", keyPEM, "", "password")
if err == nil {
t.Fatal("expected error for invalid cert PEM")
}
}
func TestCreatePFX_InvalidKey(t *testing.T) {
certPEM, _, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
_, err = createPFX(certPEM, "not a valid key", "", "password")
if err == nil {
t.Fatal("expected error for invalid key PEM")
}
}
// --- Thumbprint tests ---
func TestComputeThumbprint_Success(t *testing.T) {
certPEM, _, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("failed to generate test cert: %v", err)
}
thumbprint, err := computeThumbprint(certPEM)
if err != nil {
t.Fatalf("computeThumbprint failed: %v", err)
}
// SHA-1 = 20 bytes = 40 hex chars
if len(thumbprint) != 40 {
t.Errorf("expected 40-char thumbprint, got %d chars: %s", len(thumbprint), thumbprint)
}
// Should be uppercase hex
if thumbprint != strings.ToUpper(thumbprint) {
t.Errorf("thumbprint should be uppercase, got: %s", thumbprint)
}
}
func TestComputeThumbprint_InvalidPEM(t *testing.T) {
_, err := computeThumbprint("not a valid pem")
if err == nil {
t.Fatal("expected error for invalid PEM")
}
}
func TestComputeThumbprint_EmptyString(t *testing.T) {
_, err := computeThumbprint("")
if err == nil {
t.Fatal("expected error for empty string")
}
}
// --- Validation helper tests ---
func TestValidateIISName_Valid(t *testing.T) {
tests := []string{
"Default Web Site",
"My",
"WebHosting",
"site-01",
"my_site.prod",
"Test 123",
}
for _, name := range tests {
t.Run(name, func(t *testing.T) {
if err := validateIISName(name, "test_field"); err != nil {
t.Errorf("expected valid name %q, got error: %v", name, err)
}
})
}
}
func TestValidateIISName_Invalid(t *testing.T) {
tests := []struct {
name string
input string
}{
{"empty", ""},
{"semicolon", "My;Store"},
{"dollar", "My$Store"},
{"backtick", "My`Store"},
{"pipe", "My|Store"},
{"ampersand", "My&Store"},
{"parentheses", "My(Store)"},
{"quotes", `My"Store"`},
{"angle_brackets", "My<Store>"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := validateIISName(tt.input, "test_field"); err == nil {
t.Errorf("expected error for name %q", tt.input)
}
})
}
}
func TestValidateIISName_TooLong(t *testing.T) {
longName := strings.Repeat("a", 257)
if err := validateIISName(longName, "test_field"); err == nil {
t.Fatal("expected error for name exceeding 256 chars")
}
}
// --- Random password generation ---
func TestGenerateRandomPassword(t *testing.T) {
pw, err := generateRandomPassword(32)
if err != nil {
t.Fatalf("generateRandomPassword failed: %v", err)
}
if len(pw) != 32 {
t.Errorf("expected 32-char password, got %d", len(pw))
}
// Verify it only contains allowed characters
for _, c := range pw {
if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9')) {
t.Errorf("unexpected character in password: %c", c)
}
}
// Verify two passwords are different (probabilistic but reliable)
pw2, _ := generateRandomPassword(32)
if pw == pw2 {
t.Error("two generated passwords should be different")
}
}