certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 18:34:05 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	f2e60b93a3	feat(M11c): crypto policy enforcement — CSR validation, MaxTTL caps, key metadata Enforce certificate profile crypto constraints across all 5 issuance paths (renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs with key algorithm/size that don't match profile rules. MaxTTL enforcement caps certificate validity per issuer connector (Local CA, Vault, step-ca enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and size are now persisted in certificate_versions for audit compliance. 16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded version number from GUI sidebar. Documentation updated across architecture, features, connectors, and README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-15 21:05:14 -04:00
shankar0123	648e2f7ab1	fix: use tagged switch statements to satisfy staticcheck QF1002 Convert `switch { case r.URL.Path == ... }` to `switch r.URL.Path { ... }` in Vault and DigiCert connector tests to pass golangci-lint CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-30 17:25:11 -04:00
shankar0123	6375909591	feat: add Vault PKI and DigiCert CertCentral issuer connectors (M32 + M37) Vault PKI: synchronous issuance via /v1/{mount}/sign/{role}, token auth, revocation, CA cert retrieval, 14 tests. DigiCert CertCentral: async order model (submit → poll → download), X-DC-DEVKEY auth, OV/EV support, PEM bundle parsing, 16 tests. Both conditionally registered based on env vars. Includes OpenAPI enum updates, seed data, connector docs, architecture docs, README badges, and testing guide sign-off (Parts 38 + 39, 12 automated smoke test assertions all passing). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-30 17:19:46 -04:00

Author

SHA1

Message

Date

shankar0123

f2e60b93a3

feat(M11c): crypto policy enforcement — CSR validation, MaxTTL caps, key metadata

Enforce certificate profile crypto constraints across all 5 issuance paths
(renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs
with key algorithm/size that don't match profile rules. MaxTTL enforcement
caps certificate validity per issuer connector (Local CA, Vault, step-ca
enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and
size are now persisted in certificate_versions for audit compliance.

16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded
version number from GUI sidebar. Documentation updated across architecture,
features, connectors, and README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-15 21:05:14 -04:00

shankar0123

648e2f7ab1

fix: use tagged switch statements to satisfy staticcheck QF1002

Convert `switch { case r.URL.Path == ... }` to `switch r.URL.Path { ... }`
in Vault and DigiCert connector tests to pass golangci-lint CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-30 17:25:11 -04:00

shankar0123

6375909591

feat: add Vault PKI and DigiCert CertCentral issuer connectors (M32 + M37)

Vault PKI: synchronous issuance via /v1/{mount}/sign/{role}, token auth,
revocation, CA cert retrieval, 14 tests. DigiCert CertCentral: async order
model (submit → poll → download), X-DC-DEVKEY auth, OV/EV support, PEM
bundle parsing, 16 tests. Both conditionally registered based on env vars.
Includes OpenAPI enum updates, seed data, connector docs, architecture docs,
README badges, and testing guide sign-off (Parts 38 + 39, 12 automated
smoke test assertions all passing).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-30 17:19:46 -04:00

3 Commits