How to renew existing certificate via Go API

[merlinz01]

I am trying to integrate step PKI into my web servers via the Go API, but I am having trouble figuring out the right way to do it.

What I need to do is this:

• Use the step CLI to create and sign a key pair and save it to disk.
  • I would do this using Salt Stack when initializing the server.
• When my server starts, read the key pair on disk and start the server.
• Before the certificate expires, renew it and save it to disk.

I should only need to send the provisioner password to the server once when initializing it; I don't want to send the provisioner password to all my servers every time they restart. The rest of the time it should simply renew the certificate.

Here's what I have so far:

func main() {
	// Initialize the server
	myHttpServer := http.Server{}
	cert, err := tls.LoadX509KeyPair("../fs0.crt", "../fs0.key")
	if err != nil {
		log.Println("Failed to load key pair:", err)
		return
	}
	leaf, err := x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
		log.Println("Failed to parse certificate:", err)
		return
	}
	cert.Leaf = leaf
	myHttpServer.TLSConfig = &tls.Config{
		Certificates: []tls.Certificate{cert},
	}
	myHttpServer.Handler = http.NewServeMux()
	// myHttpServer.ListenAndServeTLS("", "")

	// Connect to the CA
	c, err := ca.NewClient("https://my.step.ca.server:8443", ca.WithRootSHA256("fingerprint"))
	if err != nil {
		log.Println("Error creating client:", err)
		return
	}
	h, err := c.Health()
	if err != nil {
		log.Println("Error checking health:", err)
		return
	}
	if h.Status != "ok" {
		log.Println("Bad health:", h.Status)
		return
	}

	// Read the root certificate
	data, err := os.ReadFile("../../root_ca.crt")
	if err != nil {
		log.Println("Failed to read root cert:", err)
		return
	}
	rootdata, _ := pem.Decode(data)
	rootcert, err := x509.ParseCertificate(rootdata.Bytes)
	if err != nil {
		log.Println("Failed to parse root cert:", err)
		return
	}

	// Renew the certificate
	t := *(http.DefaultTransport.(*http.Transport))
	t.TLSClientConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
	t.TLSClientConfig.RootCAs = x509.NewCertPool()
	t.TLSClientConfig.RootCAs.AddCert(rootcert)
	for {
		resp, err := c.Renew(&t)
		if err != nil {
			log.Println("Failed to renew certificate:", err)
			return
		}
		cert.Certificate[0] = resp.ServerPEM.Certificate.Raw
		cert.Leaf = resp.ServerPEM.Certificate
		// time.Sleep(20 * time.Day)
		break
	}
}

The question

Am I on the right track, or am I reinventing the wheel or doing something stupid?

I would really appreciate better documentation of the API.

[hslatman]

Hey @merlinz01, yes, it looks like you're on the right track. I haven't tried your code yet, but it looks like it should work, or is at least close to working; does it work for you?

In terms of documentation: yeah, we're aware the CA API isn't documented fully / neatly. The best way is to read the CLI for some reference code, which I believe you've already done.

Depending on your requirements, and given that your HTTP server is able to reach the CA, maybe using the ACME provisioner is an alternative for you? But in that case you'll need the HTTP server and CA to be on the same network, or use a DNS challenge. The nice thing about it is that it's a standardized protocol that's well documented.

[merlinz01]

Yes, I am getting it to work. The ACME and DNS provisioners are not an option in this case which is why I am using the JWK provisioner.

Now a question: will my code (or the step CLI) succeed in renewing a certificate that has expired? Will I have to manually update the certificate if it expires while this server is down?