| 508 | } |
| 509 | |
| 510 | func (r *renewer) Rekey(priv interface{}, outCert, outKey string, writePrivateKey bool) (*api.SignResponse, error) { |
| 511 | csrBytes, err := x509.CreateCertificateRequest(cryptoRand.Reader, &x509.CertificateRequest{}, priv) |
| 512 | if err != nil { |
| 513 | return nil, err |
| 514 | } |
| 515 | csr, err := x509.ParseCertificateRequest(csrBytes) |
| 516 | if err != nil { |
| 517 | return nil, err |
| 518 | } |
| 519 | resp, err := r.client.Rekey(&api.RekeyRequest{CsrPEM: api.NewCertificateRequest(csr)}, r.transport) |
| 520 | if err != nil { |
| 521 | return nil, errors.Wrap(err, "error rekeying certificate") |
| 522 | } |
| 523 | if len(resp.CertChainPEM) == 0 { |
| 524 | resp.CertChainPEM = []api.Certificate{resp.ServerPEM, resp.CaPEM} |
| 525 | } |
| 526 | var data []byte |
| 527 | for _, certPEM := range resp.CertChainPEM { |
| 528 | pemblk, err := pemutil.Serialize(certPEM.Certificate) |
| 529 | if err != nil { |
| 530 | return nil, errors.Wrap(err, "error serializing certificate PEM") |
| 531 | } |
| 532 | data = append(data, pem.EncodeToMemory(pemblk)...) |
| 533 | } |
| 534 | if err := fileutil.WriteFile(outCert, data, 0o600); err != nil { |
| 535 | return nil, errs.FileError(err, outCert) |
| 536 | } |
| 537 | if writePrivateKey { |
| 538 | _, err = pemutil.Serialize(priv, pemutil.ToFile(outKey, 0o600)) |
| 539 | if err != nil { |
| 540 | return nil, err |
| 541 | } |
| 542 | } |
| 543 | |
| 544 | return resp, nil |
| 545 | } |
| 546 | |
| 547 | // RenewAndPrepareNext renews the cert and prepares the cert for it's next renewal. |
| 548 | // NOTE: this function logs each time the certificate is successfully renewed. |