mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:11:31 +00:00
shankar0123
e2821c448a
Private keys never leave agent infrastructure. Agents generate ECDSA P-256 key pairs locally, store them with 0600 permissions, and submit only the CSR (public key) to the control plane. New AwaitingCSR job state pauses renewal/issuance jobs until the agent submits its CSR. Server-side keygen retained behind CERTCTL_KEYGEN_MODE=server for demo/development. Key changes: - Dual keygen mode via CERTCTL_KEYGEN_MODE (agent default, server for demo) - AwaitingCSR job state with CommonName/SANs in work response - Agent ECDSA P-256 keygen, local key storage, CSR-only submission - CompleteAgentCSRRenewal server-side flow for agent-submitted CSRs - DeploymentRequest.KeyPEM for agent-provided keys during deployment - Dockerfile.agent creates /var/lib/certctl/keys with correct ownership Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
60 lines
2.4 KiB
Go
60 lines
2.4 KiB
Go
package target
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"time"
|
|
)
|
|
|
|
// Connector defines the interface for certificate deployment operations.
|
|
type Connector interface {
|
|
// ValidateConfig validates the deployment target configuration.
|
|
ValidateConfig(ctx context.Context, config json.RawMessage) error
|
|
|
|
// DeployCertificate deploys a certificate to the target.
|
|
// The request contains the certificate and chain in PEM format, but never a private key.
|
|
DeployCertificate(ctx context.Context, request DeploymentRequest) (*DeploymentResult, error)
|
|
|
|
// ValidateDeployment verifies that a deployed certificate is valid and accessible.
|
|
ValidateDeployment(ctx context.Context, request ValidationRequest) (*ValidationResult, error)
|
|
}
|
|
|
|
// DeploymentRequest contains the parameters for deploying a certificate to a target.
|
|
// In agent keygen mode, KeyPEM is populated from the agent's local key store.
|
|
// In server keygen mode (demo only), KeyPEM may be empty if the key was embedded in the cert version.
|
|
type DeploymentRequest struct {
|
|
CertPEM string `json:"cert_pem"`
|
|
KeyPEM string `json:"key_pem,omitempty"`
|
|
ChainPEM string `json:"chain_pem"`
|
|
TargetConfig json.RawMessage `json:"target_config"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|
|
|
|
// DeploymentResult contains the result of a successful certificate deployment.
|
|
type DeploymentResult struct {
|
|
Success bool `json:"success"`
|
|
TargetAddress string `json:"target_address"`
|
|
DeploymentID string `json:"deployment_id"`
|
|
Message string `json:"message"`
|
|
DeployedAt time.Time `json:"deployed_at"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|
|
|
|
// ValidationRequest contains the parameters for validating a deployed certificate.
|
|
type ValidationRequest struct {
|
|
CertificateID string `json:"certificate_id"`
|
|
Serial string `json:"serial"`
|
|
TargetConfig json.RawMessage `json:"target_config"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|
|
|
|
// ValidationResult contains the result of a certificate validation check.
|
|
type ValidationResult struct {
|
|
Valid bool `json:"valid"`
|
|
Serial string `json:"serial"`
|
|
TargetAddress string `json:"target_address"`
|
|
Message string `json:"message"`
|
|
ValidatedAt time.Time `json:"validated_at"`
|
|
Metadata map[string]string `json:"metadata,omitempty"`
|
|
}
|