Skip to content

feat: add certificate issuance and public-only key support#1

Merged
kduma merged 8 commits into
developfrom
kduma/cert-issuance
Mar 17, 2026
Merged

feat: add certificate issuance and public-only key support#1
kduma merged 8 commits into
developfrom
kduma/cert-issuance

Conversation

@kduma

@kduma kduma commented Mar 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds certificate issuance capabilities with new commands for issuing certificates from CSRs and key IDs, support for public-only keys, and pipeline-friendly STDERR routing. Centralizes all signing logic in CertificateSigningService.

New commands: certificate:issue:csr, certificate:issue:key, certificate:get, certificate:exists, certificate:list, key:import:public, key:list.

Public-only key support allows importing standalone keys without private components. STDERR routing enables Unix pipe usage for data pipelines.

Includes ensure_signed_ca_certificate() function in configure.sh to orchestrate sub-CA certificate issuance.

kduma and others added 8 commits March 13, 2026 21:15
…ey/cert listing

Add certificate:issue:csr and certificate:issue:key commands for signing
certificates from CSRs or key IDs. Add certificate:get, certificate:list,
certificate:exists, key:list, and key:import:public supporting commands.
Extend Key entity with $private flag, Certificate entity with $sequence,
and CaMetadata with $last_issued_sequence. Guard private-key-requiring
commands against public-only keys.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… CSR

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Certificate ID goes to STDOUT for piping; all user-facing messages
(errors, confirmations) now go through stdErr() wrapper.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ands

Wrap error() calls in stdErr() for key:import, key:import:public, and
authority:certificate:import to keep STDOUT clean when piping PEM data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…mmands

Revert stdErr wrapping from LoadsPrivateKey trait — each command is
responsible for routing its own prompts. Wrap loadPrivateKey calls in
stdErr() in certificate:issue:csr, certificate:issue:key, and key:import.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…a_certificate

Make the `id` argument optional in `certificate:get`, falling back to
stdin so the command can be used in pipelines. Add `ensure_signed_ca_certificate`
helper to configure.sh that chains CSR → issue → get → import for sub-CAs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@kduma kduma merged commit ebc13eb into develop Mar 17, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant