Optional
workerReadonly
[initReadonly
certReadonly
certProtected
dbProtected
dbCertificate collection
CertManager/certs/{CertId} -> {raw(CertificateASN1)}
Protected
dbMaintain last CertID
to preserve monotonicity across process restarts
CertManager/lastCertId -> {raw(CertId)}
Protected
dbProtected
generateProtected
keyProtected
loggerProtected
renewProtected
renewProtected
Optional
renewProtected
renewProtected
Optional
subjectProtected
taskProtected
tasksProtected
Optional
workerProtected
delOptional
tran: DBTransactionProtected
gcGarbage collect invalid or expired certificates. Invalid certificates can happen if key rotation does not succeed. It could mean that the leaf certificate does not match the current key pair.
Expired certificates are no longer valid and should be deleted. This will always ensure that the current certificate is kept. It will also keep the first expired certificate in the chain. All subsequent certificates will be deleted.
Note if generating a new certificate, it may be generated with a duration
of 0. When this occurs, the certificate is considered still valid for the
now
timestamp at generation. Therefore upon finding the current
certificate we don't bother checking whether it is not expired. We can
assume it is not expired. However to be absolutely robust, pass the same
now
between generation and this.gcCerts
to prevent accidental garbage
collection of a 0-duration current certificate.
Protected
generateOptional
issuerOptional
now?: DateOptional
subjectGet a certificate according to the CertID
Optional
tran: DBTransactionGet CertificatePEM
from leaf to root
Optional
tran: DBTransactionGets an array of CertificatePEM
in order of leaf to root
Optional
tran: DBTransactionGets a concatenated CertificatePEM
ordered from leaf to root
Optional
tran: DBTransactionGet the current (leaf) certificate in PEM
Optional
tran: DBTransactionProtected
putGenerates a new leaf certificate with the current key pair. This new certificate is chained to the previous certificate. It is self-signed and also signed by the previous certificate
The self-signed signature is encoded within the NodeSignatureExtension
.
The certificate signature is produced by the previous certificate's
public key.
This maintains a certificate chain that provides zero-downtime migration.
The NodeId
does not change.
Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.
Generates a new leaf certificate with a new key pair. This new certificate is chained to the previous certificate.
It is self-signed and also signed by the previous certificate
The self-signed signature is encoded within the NodeSignatureExtension
.
The certificate signature is produced by the previous certificate's
public key.
Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.
Generates a new certificate chain starting with the current key pair.
The new certificate is self-signed, and has no previous certificate.
The NodeId
does not change.
The self-signed signature is encoded within the NodeSignatureExtension
.
Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.
Generates a new certificate chain starting with a new key pair.
The new certificate is self-signed, and has no previous certificate.
The results in a new NodeId
.
The self-signed signature is encoded within the NodeSignatureExtension
.
Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.
Protected
setupProtected
setupSets up the renew current certificate task. This will set the renewal of the certificate to the remaining duration minus the lead time, with the minimum delaying being 0. This task is a singleton. It must be updated when the current certificate is renewed.
Optional
fresh?: booleanOptional
lazy?: booleanOptional
now?: DateOptional
subjectStatic
createThe password is needed in case there needs to be an automatic renewal. When the certificate is automatically renewed, a new key pair is generated.
The certDuration
is in seconds. This is the default duration of generated
certificates. Certificates will be valid from now until inclusive of
now + certDuration
. Certificates only have second resolution, so now
is
always interpreted as truncated to the second.
The certRenewLeadTime
is in seconds. This is the amount time set before the
last valid second timestamp, in which to automatically run the certificate
renewal with the current key pair. This must ensure enough time for change
propagation across the gestalt graph.
Optional
fresh?: booleanOptional
issuerOptional
lazy?: booleanOptional
logger?: LoggerOptional
now?: DateOptional
options?: Partial<CertManagerOptions>Optional
subjectOptional
workerGenerated using TypeDoc
Certificate duration in seconds