Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #1869
Summary
currently, there is no standard method for creating cert chains for fulcio or tsa. the community has used an assortment of open source scripts/tools, but i thought it would be nice to have a small cloud agnostic go app to create/sign (via awskms, cloudkms, or azurekms) certificates. the smallstep crypto library is fairly comprehensive in its kms/cert capabilities.
this will focus on ExtKeyUsage /
CodeSigning
@haydentherapper / @bobcallaway gave the go ahead in proceeding w/ this work.
Release Note
Documentation
Overview
This tool creates root and leaf certificates for:
Requirements
Local Development
Clone and build the project locally:
Usage
The tool can be configured using either command-line flags or environment variables.
Command-Line Interface
Available flags:
--kms-type
: KMS provider type (awskms, cloudkms, azurekms)--kms-region
: KMS region (required for AWS KMS)--root-key-id
: KMS key identifier for root certificate--leaf-key-id
: KMS key identifier for leaf certificate--kms-tenant-id
: Azure KMS tenant ID--kms-credentials-file
: Path to credentials file (for Google Cloud KMS)--root-template
: Path to root certificate template--leaf-template
: Path to leaf certificate template--root-cert
: Output path for root certificate (default: root.pem)--leaf-cert
: Output path for leaf certificate (default: leaf.pem)Environment Variables
KMS_TYPE
: KMS provider type ("awskms", "cloudkms", "azurekms")KMS_REGION
: Region (required for AWS KMS, defaults to us-east-1)ROOT_KEY_ID
: Key identifier for root certificateLEAF_KEY_ID
: Key identifier for leaf certificateKMS_VAULT_NAME
: Azure Key Vault nameKMS_TENANT_ID
: Azure tenant IDKMS_CREDENTIALS_FILE
: Path to credentials file (for Google Cloud KMS)Provider-Specific Configuration Examples
AWS KMS
Google Cloud KMS
Azure KMS
Example Certificate Outputs
Fulcio Root CA Certificate
Fulcio Leaf Certificate
Running the Tool
Example with AWS KMS:
Example with Azure KMS: