Documentation
¶
Overview ¶
Package pki provides X.509 + PFX + CSR primitives used across certigo subcommands.
The pki package is deliberately narrow: parse/build certificates, read/write PFX blobs, generate RSA keys, and construct CSRs with arbitrary extensions (including UPN-in-SAN for AD CS enrollment). Higher-level features like certificate forging or Schannel TLS are in other packages.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildCSR ¶
func BuildCSR(key crypto.PrivateKey, req NewCSRRequest) ([]byte, error)
BuildCSR builds a DER-encoded PKCS#10 CertificateRequest signed with the provided private key.
If req contains UPNs, BuildCSR constructs a custom subjectAltName extension that bundles any DNSNames plus one otherName entry per UPN, and adds it via ExtraExtensions (rather than relying on x509.CertificateRequest.DNSNames) so that both names share a single SAN extension. If only DNSNames are supplied, the stdlib's native handling is used.
func EncodePEM ¶
func EncodePEM(c *Certificate) ([]byte, error)
EncodePEM renders a Certificate as PEM. Order: leaf CERTIFICATE, PRIVATE KEY (PKCS#8), then any chain CERTIFICATE blocks. Either the cert or the key may be nil, but not both.
func GenerateRSAKey ¶
func GenerateRSAKey(bits int) (*rsa.PrivateKey, error)
GenerateRSAKey returns a fresh RSA key. Valid sizes: 2048, 3072, 4096. 2048 is Certipy's default.
func SavePFX ¶
func SavePFX(c *Certificate, password string) ([]byte, error)
SavePFX encodes a Certificate as a PFX/PKCS#12 blob. It uses go-pkcs12's Modern2023 encoder, which emits AES-256 + SHA-256 output compatible with current Windows/OpenSSL stacks. Impacket's pyOpenSSL-based reader also handles this format; if a target tool ever rejects it, swap to pkcs12.Legacy.Encode for RC2 + 3DES output.
Types ¶
type Certificate ¶
type Certificate struct {
Cert *x509.Certificate
Key crypto.PrivateKey
Chain []*x509.Certificate
}
Certificate wraps an X.509 cert + matching private key. Key may be nil for public-only operations (e.g., parsing a cert chain). Chain holds any intermediate/root certs loaded alongside the primary cert.
func LoadPFX ¶
func LoadPFX(data []byte, password string) (*Certificate, error)
LoadPFX decodes a PFX/PKCS#12 blob into a Certificate. Password may be "". The first certificate in the blob is the leaf; any additional certificates populate Chain.
func ParsePEM ¶
func ParsePEM(data []byte) (*Certificate, error)
ParsePEM parses a PEM-encoded byte slice into a Certificate. It accepts any combination of CERTIFICATE blocks (leaf + chain) and a single private-key block in PKCS#1 ("RSA PRIVATE KEY"), PKCS#8 ("PRIVATE KEY"), or SEC1 ("EC PRIVATE KEY") form. Unknown block types (for example "DH PARAMETERS") are skipped silently. An error is returned only when no certificate and no key were found.
type NewCSRRequest ¶
type NewCSRRequest struct {
Subject pkix.Name
DNSNames []string
UPNs []string // encoded as otherName 1.3.6.1.4.1.311.20.2.3
ExtraExtensions []pkix.Extension
SignatureAlgorithm x509.SignatureAlgorithm
}
NewCSRRequest describes a certificate signing request to be produced by BuildCSR. DNSNames and UPNs are both emitted inside a single subjectAltName extension (OID 2.5.29.17).
Source Files