15 // generateCert generates a temporary certificate for plugin authentication. The
16 // certificate and private key are returns in PEM format.
17 func generateCert() (cert []byte, privateKey []byte, err error) {
18 key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
23 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
24 sn, err := rand.Int(rand.Reader, serialNumberLimit)
31 template := &x509.Certificate{
34 Organization: []string{"HashiCorp"},
36 DNSNames: []string{host},
37 ExtKeyUsage: []x509.ExtKeyUsage{
38 x509.ExtKeyUsageClientAuth,
39 x509.ExtKeyUsageServerAuth,
41 KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign,
42 BasicConstraintsValid: true,
44 NotBefore: time.Now().Add(-30 * time.Second),
45 NotAfter: time.Now().Add(262980 * time.Hour),
49 der, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
54 var certOut bytes.Buffer
55 if err := pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: der}); err != nil {
59 keyBytes, err := x509.MarshalECPrivateKey(key)
64 var keyOut bytes.Buffer
65 if err := pem.Encode(&keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}); err != nil {
69 cert = certOut.Bytes()
70 privateKey = keyOut.Bytes()
72 return cert, privateKey, nil