Skip to content

Commit e970659

Browse files
committed
maintenance: use client rid as mtls cert subject
1 parent c5deab3 commit e970659

2 files changed

Lines changed: 11 additions & 14 deletions

File tree

internal/mtls/mtls.go

Lines changed: 9 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ import (
1414
"fmt"
1515
"math/big"
1616
"time"
17+
18+
"github.com/tschaefer/finchctl/internal/version"
1719
)
1820

1921
const CertValidityDays = 90 * 24 * time.Hour
@@ -30,11 +32,8 @@ func GenerateCA(hostname string) ([]byte, []byte, error) {
3032
}
3133

3234
template := x509.Certificate{
33-
SerialNumber: serialNumber,
34-
Subject: pkix.Name{
35-
Organization: []string{"Finch"},
36-
CommonName: fmt.Sprintf("Finch CA - %s", hostname),
37-
},
35+
SerialNumber: serialNumber,
36+
Subject: pkix.Name{CommonName: hostname},
3837
NotBefore: time.Now(),
3938
NotAfter: time.Now().Add(CertValidityDays),
4039
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
@@ -95,14 +94,11 @@ func GenerateClient(hostname string, caCertPEM, caKeyPEM []byte) ([]byte, []byte
9594

9695
template := x509.Certificate{
9796
SerialNumber: serialNumber,
98-
Subject: pkix.Name{
99-
Organization: []string{"Finch"},
100-
CommonName: fmt.Sprintf("Finch Client - %s", hostname),
101-
},
102-
NotBefore: time.Now(),
103-
NotAfter: time.Now().Add(CertValidityDays),
104-
KeyUsage: x509.KeyUsageDigitalSignature,
105-
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
97+
Subject: pkix.Name{CommonName: version.ResourceID()},
98+
NotBefore: time.Now(),
99+
NotAfter: time.Now().Add(CertValidityDays),
100+
KeyUsage: x509.KeyUsageDigitalSignature,
101+
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
106102
}
107103

108104
clientCertDER, err := x509.CreateCertificate(rand.Reader, &template, caCert, &clientKey.PublicKey, caKey)

internal/mtls/mtls_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212

1313
"github.com/brianvoe/gofakeit/v7"
1414
"github.com/stretchr/testify/assert"
15+
"github.com/tschaefer/finchctl/internal/version"
1516
)
1617

1718
func Test_GenerateCA(t *testing.T) {
@@ -48,7 +49,7 @@ func Test_GenerateClient(t *testing.T) {
4849
cert, err := x509.ParseCertificate(block.Bytes)
4950
assert.NoError(t, err, "client cert should parse")
5051
assert.False(t, cert.IsCA, "cert should not be CA")
51-
assert.Contains(t, cert.Subject.CommonName, hostname, "cert CN should contain hostname")
52+
assert.Contains(t, cert.Subject.CommonName, version.ResourceID(), "cert CN should contain client rid")
5253
assert.Contains(t, cert.ExtKeyUsage, x509.ExtKeyUsageClientAuth, "cert should have client auth usage")
5354
}
5455

0 commit comments

Comments
 (0)