Updated documentation.
This commit is contained in:
52
README.md
52
README.md
@@ -23,10 +23,14 @@ The tool is designed to be used from the command line. It has a simple command s
|
||||
lab-ca <command> [options]
|
||||
```
|
||||
|
||||
There are two commands available:
|
||||
The main commands available are:
|
||||
|
||||
- `initca` - initialize a new CA - this command creates a new CA and a self-signed CA certificate.
|
||||
- `issue` - issue a new certificate - this command creates a new certificate signed by the CA.
|
||||
- `initca` — Initialize a new CA and create a self-signed CA certificate.
|
||||
- `issue` — Issue a new certificate signed by the CA.
|
||||
- `provision` — Provision multiple certificates from a batch file (HCL) in one go.
|
||||
- `revoke` — Revoke a certificate by name or serial number.
|
||||
- `crl` — Generate a Certificate Revocation List (CRL) from revoked certificates.
|
||||
- `version` — Show version information for the tool.
|
||||
|
||||
Run the command with `-h` or `--help` or without any arguments to see the usage information. Each command has its own set of options, arguments, and a help message.
|
||||
|
||||
@@ -70,35 +74,47 @@ The `paths` block defines where the command will store the generated certificate
|
||||
|
||||
> **NOTE:** The command does not encrypt private keys. It is not designed to be used in a production environment.
|
||||
|
||||
## Certificate Issuance
|
||||
## Certificate Issuance and Provisioning
|
||||
|
||||
To issue a new certificate, you can use the `issue` command and specify the certificate definition on the command line, or use batch mode and provide a file with certificate definitions.
|
||||
To issue a new certificate, you can use the `issue` command and specify the certificate definition on the command line, or use the `provision` command to provide a file with multiple certificate definitions for batch processing.
|
||||
|
||||
The definition file also uses HCL syntax. Here is an example of a certificate definition:
|
||||
The definition file also uses HCL syntax. Here is an example of a certificate definition file:
|
||||
|
||||
```hcl
|
||||
defaults {
|
||||
subject = "{{ .Name }}.example.com"
|
||||
type = "server"
|
||||
subject = "{{ .Name }}.example.org"
|
||||
type = "server"
|
||||
validity = "1y"
|
||||
san = ["DNS:{{ .Name }}.example.com"]
|
||||
san = ["DNS:{{ .Name }}.example.org"]
|
||||
}
|
||||
|
||||
certificate "grafana" {
|
||||
# from default: subject = "{{ .Name }}.example.com" # result: grafana.example.com
|
||||
# from default: type = "server"
|
||||
# from default: validity = "1y"
|
||||
# from default: san = ["DNS:{{ .Name }}.example.com"] # result: [ "DNS:grafana.example.com" ]
|
||||
variables = {
|
||||
Domain = "example.net"
|
||||
Country = "EX"
|
||||
}
|
||||
|
||||
certificate "loki" {
|
||||
subject = "{{ .Name }}.example.net" # result: loki.example.net
|
||||
certificate "service1" {
|
||||
# from default: subject = "{{ .Name }}.example.org"
|
||||
# from default: type = "server"
|
||||
# from default: validity = "1y"
|
||||
san = ["DNS:{{ .Name }}.example.net"] # result: [ "DNS:loki.example.net" ]
|
||||
# from default: san = ["DNS:{{ .Name }}.example.org"]
|
||||
}
|
||||
|
||||
certificate "service2" {
|
||||
subject = "{{ .Name }}.example.net"
|
||||
# from default: type = "server"
|
||||
# from default: validity = "1y"
|
||||
san = ["DNS:{{ .Name }}.example.net"]
|
||||
}
|
||||
|
||||
certificate "service3" {}
|
||||
|
||||
certificate "service4" {
|
||||
subject = "{{ .Name }}.{{ .Domain }}"
|
||||
san = ["DNS:{{ .Name }}.{{ .Domain }}"]
|
||||
}
|
||||
```
|
||||
|
||||
Values specified in the `defaults` block will be used for all certificates unless overridden in individual certificate definitions. Go-style template syntax is also supported, so you can use `{{ .Name }}` to refer to the certificate name.
|
||||
Values specified in the `defaults` block will be used for all certificates unless overridden in individual certificate definitions. Go-style template syntax is also supported, so you can use `{{ .Name }}` to refer to the certificate name, and variables from the `variables` map can be used in templates as well.
|
||||
|
||||
You can use DNS or IP SANs for server certificates (`server` and `server-only`), and email SANs for email certificates (`email`). The command will check if the SAN is valid based on the type of certificate.
|
||||
|
||||
9
main.go
9
main.go
@@ -200,7 +200,8 @@ func main() {
|
||||
}
|
||||
|
||||
func printMainHelp() {
|
||||
fmt.Println("lab-ca - Certificate Authority Utility")
|
||||
fmt.Printf("lab-ca - Certificate Authority Utility\n")
|
||||
fmt.Printf("Version: %s\n", Version)
|
||||
fmt.Println()
|
||||
fmt.Println("Usage:")
|
||||
fmt.Println(" lab-ca <command> [options]")
|
||||
@@ -208,10 +209,10 @@ func printMainHelp() {
|
||||
fmt.Println("Available commands:")
|
||||
fmt.Println(" initca Generate a new CA certificate and key")
|
||||
fmt.Println(" issue Issue a new certificate")
|
||||
fmt.Println(" version Show version information")
|
||||
fmt.Println(" crl Generate a Certificate Revocation List (CRL)")
|
||||
fmt.Println(" provision Provision certificates from a batch file (HCL)")
|
||||
fmt.Println(" revoke Revoke a certificate by name or serial number")
|
||||
fmt.Println(" provision Provision certificates from a batch file (HCL)")
|
||||
fmt.Println(" crl Generate a Certificate Revocation List (CRL)")
|
||||
fmt.Println(" version Show version information")
|
||||
fmt.Println()
|
||||
fmt.Println("Use 'lab-ca <command> --help' for more information about a command.")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user