@@ -358,7 +358,7 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) {
358358 return nil , fmt .Errorf ("unable to create private key while generating CA certificate, err: %w" , err )
359359 }
360360
361- cert , err := certutil . NewSelfSignedCACert (cc .Config , key )
361+ cert , err := NewSelfSignedCACert (cc .Config , key )
362362 if err != nil {
363363 return nil , fmt .Errorf ("unable to create self-signed CA certificate, err: %w" , err )
364364 }
@@ -376,6 +376,30 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) {
376376 }, nil
377377}
378378
379+ // NewSelfSignedCACert creates a CA certificate
380+ func NewSelfSignedCACert (cfg certutil.Config , key crypto.Signer ) (* x509.Certificate , error ) {
381+ now := time .Now ()
382+ tmpl := x509.Certificate {
383+ SerialNumber : new (big.Int ).SetInt64 (0 ),
384+ Subject : pkix.Name {
385+ CommonName : cfg .CommonName ,
386+ Organization : cfg .Organization ,
387+ },
388+ DNSNames : []string {cfg .CommonName },
389+ NotBefore : now .UTC (),
390+ NotAfter : now .Add (constants .CertificateValidity ).UTC (),
391+ KeyUsage : x509 .KeyUsageKeyEncipherment | x509 .KeyUsageDigitalSignature | x509 .KeyUsageCertSign ,
392+ BasicConstraintsValid : true ,
393+ IsCA : true ,
394+ }
395+
396+ certDERBytes , err := x509 .CreateCertificate (cryptorand .Reader , & tmpl , & tmpl , key .Public (), key )
397+ if err != nil {
398+ return nil , err
399+ }
400+ return x509 .ParseCertificate (certDERBytes )
401+ }
402+
379403func CreateCertAndKeyFilesWithCA (cc * CertConfig , caCertData , caKeyData []byte ) (* VirtualClusterCert , error ) {
380404 if len (cc .Config .Usages ) == 0 {
381405 return nil , fmt .Errorf ("must specify at least one ExtKeyUsage" )
0 commit comments