You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Relies on [x509util](https://pkg.go.dev/go.step.sm/crypto/x509util) which builds X.509 certificates from JSON templates.
8
+
Relies on [x509util](https://pkg.go.dev/go.step.sm/crypto/x509util) which builds X.509 certificates from JSON templates. The tool includes embedded default templates that are compiled into the binary, making it ready to use without external template files.
9
9
10
10
## Requirements
11
11
12
-
- Access to one of the supported KMS providers (AWS, Google Cloud, Azure)
12
+
- Access to one of the supported KMS providers (AWS, Google Cloud, Azure, HashiCorp Vault)
13
13
- Pre-existing KMS keys (the tool uses existing keys and does not create new ones)
14
14
15
15
## Local Development
@@ -27,6 +27,14 @@ The tool can be configured using either command-line flags or environment variab
27
27
28
28
### Command-Line Interface
29
29
30
+
The `create` command accepts an optional positional argument for the common name:
31
+
32
+
```bash
33
+
./bin/tsa-certificate-maker create [common-name]
34
+
```
35
+
36
+
If no common name is provided, the values from the templates will be used.
37
+
30
38
Available flags:
31
39
32
40
-`--kms-type`: KMS provider type (awskms, gcpkms, azurekms, hashivault)
@@ -44,6 +52,9 @@ Available flags:
44
52
-`--intermediate-key-id`: KMS key identifier for intermediate certificate
45
53
-`--intermediate-template`: Path to intermediate certificate template
46
54
-`--intermediate-cert`: Output path for intermediate certificate
-`KMS_INTERMEDIATE_KEY_ID`: Key identifier for intermediate certificate
53
64
-`LEAF_KEY_ID`: Key identifier for leaf certificate
54
65
-`AWS_REGION`: AWS Region (required for AWS KMS)
55
-
-`KMS_VAULT_NAME`: Azure Key Vault name
56
66
-`AZURE_TENANT_ID`: Azure tenant ID
57
67
-`GCP_CREDENTIALS_FILE`: Path to credentials file (for Google Cloud KMS)
58
68
-`VAULT_ADDR`: HashiCorp Vault address
59
69
-`VAULT_TOKEN`: HashiCorp Vault token
60
70
61
71
### Certificate Templates
62
72
63
-
The tool uses JSON templates to define certificate properties:
73
+
The embedded templates are located in `pkg/certmaker/templates/` in the source code and are compiled into the binary. You can override these defaults by providing your own template files using:
64
74
65
-
-`root-template.json`: Defines root CA certificate properties
66
-
-`intermediate-template.json`: Defines intermediate CA certificate properties (when using --intermediate-key-id)
-`--intermediate-template`: Custom intermediate CA template
77
+
-`--leaf-template`: Custom leaf template
68
78
69
-
Templates are located in `pkg/certmaker/templates/`.
79
+
If no custom templates are provided via flags, the tool will automatically use the embedded defaults which are designed to work with TSA's certificate requirements as long as the intended common name is used as a positional argument.
70
80
71
81
Note: Templates use ASN.1/OID format for timestamping-specific extensions.
0 commit comments