Issue issues a certificate to satisfy the CSR.
(ctx context.Context, csr *x509.CertificateRequest)
| 101 | |
| 102 | // Issue issues a certificate to satisfy the CSR. |
| 103 | func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) { |
| 104 | // prepare the signing authority |
| 105 | authCfg := caddypki.AuthorityConfig{ |
| 106 | SignWithRoot: iss.SignWithRoot, |
| 107 | } |
| 108 | auth, err := iss.ca.NewAuthority(authCfg) |
| 109 | if err != nil { |
| 110 | return nil, err |
| 111 | } |
| 112 | |
| 113 | // get the cert (public key) that will be used for signing |
| 114 | var issuerCert *x509.Certificate |
| 115 | if iss.SignWithRoot { |
| 116 | issuerCert = iss.ca.RootCertificate() |
| 117 | } else { |
| 118 | chain := iss.ca.IntermediateCertificateChain() |
| 119 | issuerCert = chain[0] |
| 120 | } |
| 121 | |
| 122 | // ensure issued certificate does not expire later than its issuer |
| 123 | lifetime := time.Duration(iss.Lifetime) |
| 124 | if time.Now().Add(lifetime).After(issuerCert.NotAfter) { |
| 125 | lifetime = time.Until(issuerCert.NotAfter) |
| 126 | iss.logger.Warn("cert lifetime would exceed issuer NotAfter, clamping lifetime", |
| 127 | zap.Duration("orig_lifetime", time.Duration(iss.Lifetime)), |
| 128 | zap.Duration("lifetime", lifetime), |
| 129 | zap.Time("not_after", issuerCert.NotAfter), |
| 130 | ) |
| 131 | } |
| 132 | |
| 133 | certChain, err := auth.SignWithContext(ctx, csr, provisioner.SignOptions{}, customCertLifetime(caddy.Duration(lifetime))) |
| 134 | if err != nil { |
| 135 | return nil, err |
| 136 | } |
| 137 | |
| 138 | var buf bytes.Buffer |
| 139 | for _, cert := range certChain { |
| 140 | err := pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) |
| 141 | if err != nil { |
| 142 | return nil, err |
| 143 | } |
| 144 | } |
| 145 | |
| 146 | return &certmagic.IssuedCertificate{ |
| 147 | Certificate: buf.Bytes(), |
| 148 | }, nil |
| 149 | } |
| 150 | |
| 151 | // UnmarshalCaddyfile deserializes Caddyfile tokens into iss. |
| 152 | // |