Add method to get a certificate renewer.

ca/tls.go

@@ -127,6 +127,45 @@ func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypt
 	return tr, nil
 }
 
+// GetCertificateRenewer returns a TLSRenewer for the given certificate.
+func (c *Client) GetCertificateRenewer(sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*TLSRenewer, error) {
+	cert, err := TLSCertificate(sign, pk)
+	if err != nil {
+		return nil, err
+	}
+
+	renewer, err := NewTLSRenewer(cert, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig := getDefaultTLSConfig(sign)
+	// Note that with GetClientCertificate tlsConfig.Certificates is not used.
+	// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
+	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
+	tlsConfig.PreferServerCipherSuites = true
+
+	// Apply options and initialize mutable tls.Config
+	tlsCtx := newTLSOptionCtx(c, tlsConfig, sign)
+	if err := tlsCtx.apply(options); err != nil {
+		return nil, err
+	}
+
+	// Update renew function with transport
+	tr, err := getDefaultTransport(tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	// Use mutable tls.Config on renew
+	tr.DialTLS = c.buildDialTLS(tlsCtx)
+	renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk)
+
+	// Update client transport
+	c.client.Transport = tr
+
+	return renewer, nil
+}
+
 // buildGetConfigForClient returns an implementation of GetConfigForClient
 // callback in tls.Config.
 //