Nicky Semenza cfd0e9ab2a Merge pull request #1255 from thaJeztah/update_gomod %!s(int64=2) %!d(string=hai) anos
..
dbconf 7025962aaa certdb: replace uses of deprecated io/ioutil %!s(int64=2) %!d(string=hai) anos
mysql 8090bceefe feat(authsign): store additional metadata/fields in `certdb` (#1126) %!s(int64=4) %!d(string=hai) anos
ocspstapling 23c92b07d6 add github Actions to replace travis %!s(int64=2) %!d(string=hai) anos
pg a9a2c2e4be add postgres and mysql tests back to CI %!s(int64=2) %!d(string=hai) anos
sql d90536d543 all: gofmt for go1.18 (fixes missing build-tags) %!s(int64=2) %!d(string=hai) anos
sqlite 8090bceefe feat(authsign): store additional metadata/fields in `certdb` (#1126) %!s(int64=4) %!d(string=hai) anos
testdb a9a2c2e4be add postgres and mysql tests back to CI %!s(int64=2) %!d(string=hai) anos
README.md ee73190698 Migrate to Go modules %!s(int64=5) %!d(string=hai) anos
certdb.go d4488a84e2 add DB accessor to get unexpired certs by one or more labels %!s(int64=2) %!d(string=hai) anos

README.md

certdb usage

Using a database enables additional functionality for existing commands when a db config is provided:

  • sign and gencert add a certificate to the certdb after signing it
  • serve enables database functionality for the sign and revoke endpoints

A database is required for the following:

  • revoke marks certificates revoked in the database with an optional reason
  • ocsprefresh refreshes the table of cached OCSP responses
  • ocspdump outputs cached OCSP responses in a concatenated base64-encoded format

Setup/Migration

This directory stores goose db migration scripts for various DB backends. Currently supported:

  • MySQL in mysql
  • PostgreSQL in pg
  • SQLite in sqlite

Get goose

go get bitbucket.org/liamstask/goose/cmd/goose

Use goose to start and terminate a MySQL DB

To start a MySQL using goose:

goose -path certdb/mysql up

To tear down a MySQL DB using goose

goose -path certdb/mysql down

Note: the administration of MySQL DB is not included. We assume the databases being connected to are already created and access control is properly handled.

Use goose to start and terminate a PostgreSQL DB

To start a PostgreSQL using goose:

goose -path certdb/pg up

To tear down a PostgreSQL DB using goose

goose -path certdb/pg down

Note: the administration of PostgreSQL DB is not included. We assume the databases being connected to are already created and access control is properly handled.

Use goose to start and terminate a SQLite DB

To start a SQLite DB using goose:

goose -path certdb/sqlite up

To tear down a SQLite DB using goose

goose -path certdb/sqlite down

CFSSL Configuration

Several cfssl commands take a -db-config flag. Create a file with a JSON dictionary:

{"driver":"sqlite3","data_source":"certs.db"}

or

{"driver":"postgres","data_source":"postgres://user:password@host/db"}

or

{"driver":"mysql","data_source":"user:password@tcp(hostname:3306)/db?parseTime=true"}