Documentation
¶
Overview ¶
Package tlsutils provides TLS certificate loading and secure configuration utilities. Supports multiple certificate sources (file, Vault, Let's Encrypt), private key formats (PKCS#8, PKCS#1, SEC1), and enforces modern TLS 1.2+ defaults.
Example:
cert, _ := tlsutils.LoadFromFile("server.key", "server.crt", "password")
config := tlsutils.DefaultTLSConfig()
config.Certificates = []tls.Certificate{*cert}
caPool, _ := tlsutils.BuildCAPool(true, "custom-ca.crt")
config.RootCAs = caPool
Index ¶
- func BuildCAPool(system bool, caPath ...string) (*x509.CertPool, error)
- func CloneCertificateWithOCSPStaple(cert *tls.Certificate, ocspStaple []byte) *tls.Certificate
- func DefaultClientTLSConfig(serverName string) *tls.Config
- func DefaultTLSConfig() *tls.Config
- func LoadFromConcatenatedFile(certKeyFilePath, keyPassword string) (*tls.Certificate, error)
- func LoadFromFile(keyPath, certPath, keyPassword string) (*tls.Certificate, error)
- type OCSPStapler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildCAPool ¶
BuildCAPool builds a certificate pool from CA certificate files. If a system is true, starts with the system's certificate pool. Additional CA certificates from caPath files are appended to the pool. Returns nil if no valid certificates are found.
Example:
pool, err := tlsutils.BuildCAPool(true, "ca1.crt", "ca2.crt")
if err != nil {
log.Fatal(err)
}
config.RootCAs = pool
func CloneCertificateWithOCSPStaple ¶
func CloneCertificateWithOCSPStaple(cert *tls.Certificate, ocspStaple []byte) *tls.Certificate
CloneCertificateWithOCSPStaple creates a copy of the certificate with the provided OCSP staple. This is useful when updating OCSP responses without modifying the original certificate.
func DefaultClientTLSConfig ¶
DefaultClientTLSConfig returns a secure default TLS configuration for client connections. The configuration enforces TLS 1.2+ and sets the server name for certificate validation. The serverName parameter is used for SNI and certificate verification.
Example:
config := tlsutils.DefaultClientTLSConfig("example.com")
conn, err := tls.Dial("tcp", "example.com:443", config)
func DefaultTLSConfig ¶
DefaultTLSConfig returns a secure default TLS configuration. The configuration enforces TLS 1.2+ and uses modern cipher suites. Suitable for most server applications requiring secure connections.
Example:
config := tlsutils.DefaultTLSConfig()
config.Certificates = []tls.Certificate{cert}
server := &http.Server{TLSConfig: config}
func LoadFromConcatenatedFile ¶
func LoadFromConcatenatedFile(certKeyFilePath, keyPassword string) (*tls.Certificate, error)
LoadFromConcatenatedFile loads a certificate and private key from a single file. The file should contain both the certificate and private key in PEM format. The keyPassword parameter is required for encrypted private keys.
Example:
cert, err := tlsutils.LoadFromConcatenatedFile("server.pem", "password")
if err != nil {
log.Fatal(err)
}
func LoadFromFile ¶
func LoadFromFile(keyPath, certPath, keyPassword string) (*tls.Certificate, error)
LoadFromFile loads a certificate and private key from separate files. Supports multiple private key formats including PKCS#8, PKCS#1 (RSA), SEC1 (EC), and legacy-encrypted PEM formats. The keyPassword parameter is required for encrypted private keys and ignored for unencrypted keys.
Example:
cert, err := tlsutils.LoadFromFile("server.key", "server.crt", "password")
if err != nil {
log.Fatal(err)
}
Types ¶
type OCSPStapler ¶
type OCSPStapler interface {
// GetOCSPStaple returns the OCSP staple for the given certificate.
// The context controls the HTTP request timeout and cancellation.
GetOCSPStaple(ctx context.Context, cert *tls.Certificate) ([]byte, error)
// RunRefreshAll refreshes all OCSP responses in the cache that need it.
// This method is designed to be called periodically via an external scheduler.
RunRefreshAll(ctx context.Context) error
}
OCSPStapler defines the interface for OCSP stapling functionality. OCSP stapling improves TLS handshake performance by including certificate revocation status in the TLS handshake, reducing client-side OCSP requests.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package factory provides configuration-based creation of TLS configurations and providers.
|
Package factory provides configuration-based creation of TLS configurations and providers. |
|
Package ocsp provides OCSP stapling for TLS certificates with caching and compression.
|
Package ocsp provides OCSP stapling for TLS certificates with caching and compression. |
|
Package tlsproviders defines interfaces for TLS certificate providers.
|
Package tlsproviders defines interfaces for TLS certificate providers. |
|
file
Package tlsfile provides file-based TLS certificate provider with optional automatic reloading.
|
Package tlsfile provides file-based TLS certificate provider with optional automatic reloading. |
|
le
Package tlsle provides Let's Encrypt TLS certificate provider using HTTP-01 ACME challenges.
|
Package tlsle provides Let's Encrypt TLS certificate provider using HTTP-01 ACME challenges. |
|
vault
Package tlsvault provides HashiCorp Vault-based TLS certificate provider.
|
Package tlsvault provides HashiCorp Vault-based TLS certificate provider. |