/go-pki

Simple TLS PKI Library with embedded database

Primary LanguageGoGNU General Public License v2.0GPL-2.0

GoDoc

TL;DR

This is an opinionated single-file OpenVPN TLS certificate library. It has no dependencies on any other external tool such as openssl.

Features

  • Uses a single boltdb instance to store the certificates and keys.
  • All data strored in the database is encrypted with keys derived from a user supplied CA passphrase.
  • Support for issuing & revoking:
    • Server Certs (optionally signed by intermediate CAs)
    • Client Certs (optionally signed by intermediate CAs)
    • Intermediate CA certs (optionally signed by other intermediate CAs)
  • Flexible CRL generation
  • The certificates and keys are opinionated:
    • All CA cert private keys are Secp521r1
    • Client & Servers cert private keys are Secp256k1
    • "SSL-Server" attribute set on server certificates (nsCertType)
    • "SSL-Client" attribute set on client certificates (nsCertType)
    • ECDSA with SHA512 is used as the signature algorithm of encryption to thwart DoS attacks.

Who uses this?

Two tools use this:

  • ovpn-tool - an opnionated PKI and OpenVPN Configuration manager
  • certik - an example CLI program that uses this library

How to use this?

You will need a fairly recent golang toolchain (>1.10). go-pki is modules ready. You just import the code in your project as:

    import (
        "github.com/opencoff/go-pki"
    )