This is an opinionated single-file OpenVPN TLS certificate library. It has no dependencies on any other external tool such as openssl.
- Uses a single boltdb instance to store the certificates and keys.
- All data strored in the database is encrypted with keys derived from a user supplied CA passphrase.
- Support for issuing & revoking:
- Server Certs (optionally signed by intermediate CAs)
- Client Certs (optionally signed by intermediate CAs)
- Intermediate CA certs (optionally signed by other intermediate CAs)
- Flexible CRL generation
- The certificates and keys are opinionated:
- All CA cert private keys are Secp521r1
- Client & Servers cert private keys are Secp256k1
- "SSL-Server" attribute set on server certificates (nsCertType)
- "SSL-Client" attribute set on client certificates (nsCertType)
- ECDSA with SHA512 is used as the signature algorithm of encryption to thwart DoS attacks.
Two tools use this:
- ovpn-tool - an opnionated PKI and OpenVPN Configuration manager
- certik - an example CLI program that uses this library
You will need a fairly recent golang toolchain (>1.10). go-pki is
modules ready. You just import the code in your project as:
import (
"github.com/opencoff/go-pki"
)