Moved loading CA's private key and certificate to global configuration loading process.

ca.go

@@ -64,9 +64,11 @@ type Certificates struct {
 	Certificates []CertificateDefinition `hcl:"certificate,block"`
 }
 
-// Global CA configurationa and state variables
+// Global CA configuration and state variables
 var CAState *_CAState
 var CAConfig *_CAConfig
+var CAKey *rsa.PrivateKey
+var CACert *x509.Certificate
 
 // LoadCA loads the CA config and sets the global CAConfig variable
 func LoadCA(path string) error {
@@ -89,12 +91,44 @@ func LoadCA(path string) error {
 	if err := config.Current.Validate(); err != nil {
 		return err
 	}
+
 	CAConfig = &config.Current
+	err := error(nil)
+
+	// Load CA key and certificate
+	caCertPath := filepath.Join(CAConfig.Paths.Certificates, "ca_cert.pem")
+	caKeyPath := filepath.Join(CAConfig.Paths.PrivateKeys, "ca_key.pem")
+
+	caCertPEM, err := os.ReadFile(caCertPath)
+	if err != nil {
+		return fmt.Errorf("error reading CA certificate file: %v", err)
+	}
+	caKeyPEM, err := os.ReadFile(caKeyPath)
+	if err != nil {
+		return fmt.Errorf("error reading CA key file: %v", err)
+	}
+
+	caCertBlock, _ := pem.Decode(caCertPEM)
+	if caCertBlock == nil {
+		return fmt.Errorf("failed to parse CA certificate PEM")
+	}
+	CACert, err = x509.ParseCertificate(caCertBlock.Bytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse CA certificate: %v", err)
+	}
+	caKeyBlock, _ := pem.Decode(caKeyPEM)
+	if caKeyBlock == nil {
+		return fmt.Errorf("failed to parse CA key PEM")
+	}
+	CAKey, err = x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse CA private key: %v", err)
+	}
+
 	// Derive caStatePath from caConfig label and config file path
 	caDir := filepath.Dir(path)
 	caLabel := config.Current.Label
 	caStatePath := filepath.Join(caDir, caLabel+"_state.json")
-	err := error(nil)
 	CAState, err = LoadCAState(caStatePath)
 	if err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("failed to load CA state: %w", err)
@@ -288,35 +322,6 @@ func issueSingleCertificate(def CertificateDefinition, overwrite, verbose bool)
 		def.SAN = append(def.SAN, "dns:"+def.Subject)
 	}
 
-	caCertPath := filepath.Join(CAConfig.Paths.Certificates, "ca_cert.pem")
-	caKeyPath := filepath.Join(CAConfig.Paths.PrivateKeys, "ca_key.pem")
-
-	caCertPEM, err := os.ReadFile(caCertPath)
-	if err != nil {
-		return fmt.Errorf("error reading CA certificate file: %v", err)
-	}
-	caKeyPEM, err := os.ReadFile(caKeyPath)
-	if err != nil {
-		return fmt.Errorf("error reading CA key file: %v", err)
-	}
-
-	caCertBlock, _ := pem.Decode(caCertPEM)
-	if caCertBlock == nil {
-		return fmt.Errorf("failed to parse CA certificate PEM")
-	}
-	caCert, err := x509.ParseCertificate(caCertBlock.Bytes)
-	if err != nil {
-		return fmt.Errorf("failed to parse CA certificate: %v", err)
-	}
-	caKeyBlock, _ := pem.Decode(caKeyPEM)
-	if caKeyBlock == nil {
-		return fmt.Errorf("failed to parse CA key PEM")
-	}
-	caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes)
-	if err != nil {
-		return fmt.Errorf("failed to parse CA private key: %v", err)
-	}
-
 	priv, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return fmt.Errorf("failed to generate private key: %v", err)
@@ -381,7 +386,7 @@ func issueSingleCertificate(def CertificateDefinition, overwrite, verbose bool)
 		return fmt.Errorf("unknown certificate type. Use one of: client, server, server-only, code-signing, email")
 	}
 
-	certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, &priv.PublicKey, caKey)
+	certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, CACert, &priv.PublicKey, CAKey)
 	if err != nil {
 		return fmt.Errorf("failed to create certificate: %v", err)
 	}