diff --git a/ca/tls.go b/ca/tls.go index ef3af548..fd171189 100644 --- a/ca/tls.go +++ b/ca/tls.go @@ -127,6 +127,45 @@ func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypt return tr, nil } +// GetCertificateRenewer returns a TLSRenewer for the given certificate. +func (c *Client) GetCertificateRenewer(sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*TLSRenewer, error) { + cert, err := TLSCertificate(sign, pk) + if err != nil { + return nil, err + } + + renewer, err := NewTLSRenewer(cert, nil) + if err != nil { + return nil, err + } + + tlsConfig := getDefaultTLSConfig(sign) + // Note that with GetClientCertificate tlsConfig.Certificates is not used. + // Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate() + tlsConfig.GetClientCertificate = renewer.GetClientCertificate + tlsConfig.PreferServerCipherSuites = true + + // Apply options and initialize mutable tls.Config + tlsCtx := newTLSOptionCtx(c, tlsConfig, sign) + if err := tlsCtx.apply(options); err != nil { + return nil, err + } + + // Update renew function with transport + tr, err := getDefaultTransport(tlsConfig) + if err != nil { + return nil, err + } + // Use mutable tls.Config on renew + tr.DialTLS = c.buildDialTLS(tlsCtx) + renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) + + // Update client transport + c.client.Transport = tr + + return renewer, nil +} + // buildGetConfigForClient returns an implementation of GetConfigForClient // callback in tls.Config. //