{"id":49587480,"url":"https://github.com/attestantio/go-certmanager","last_synced_at":"2026-05-03T23:05:15.571Z","repository":{"id":351306704,"uuid":"1130314776","full_name":"attestantio/go-certmanager","owner":"attestantio","description":"Go library for managing server and client TLS certificates with reload support, SAN identity extraction, and gRPC credential helpers.","archived":false,"fork":false,"pushed_at":"2026-04-14T13:36:28.000Z","size":200,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-04-14T14:25:41.504Z","etag":null,"topics":["certificate-management","ethereum","ethereum-staking","go","go-library","golang","mtls","tls","x509"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/attestantio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-08T10:28:52.000Z","updated_at":"2026-04-14T12:23:59.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/attestantio/go-certmanager","commit_stats":null,"previous_names":["attestantio/go-certmanager"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/attestantio/go-certmanager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/attestantio%2Fgo-certmanager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/attestantio%2Fgo-certmanager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/attestantio%2Fgo-certmanager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/attestantio%2Fgo-certmanager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/attestantio","download_url":"https://codeload.github.com/attestantio/go-certmanager/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/attestantio%2Fgo-certmanager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32587829,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T22:12:39.696Z","status":"ssl_error","status_checked_at":"2026-05-03T22:09:10.534Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-management","ethereum","ethereum-staking","go","go-library","golang","mtls","tls","x509"],"created_at":"2026-05-03T23:05:14.620Z","updated_at":"2026-05-03T23:05:15.563Z","avatar_url":"https://github.com/attestantio.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# go-certmanager\n\n[![Tag](https://img.shields.io/github/tag/attestantio/go-certmanager.svg)](https://github.com/attestantio/go-certmanager/releases/)\n[![License](https://img.shields.io/github/license/attestantio/go-certmanager.svg)](LICENSE)\n[![Go Reference](https://pkg.go.dev/badge/github.com/attestantio/go-certmanager.svg)](https://pkg.go.dev/github.com/attestantio/go-certmanager)\n![Lint](https://github.com/attestantio/go-certmanager/workflows/golangci-lint/badge.svg)\n[![Go Report Card](https://goreportcard.com/badge/github.com/attestantio/go-certmanager)](https://goreportcard.com/report/github.com/attestantio/go-certmanager)\n\nGo library providing certificate management capabilities for both server and client TLS configurations.\n\nThe library supports:\n  - Server certificate loading with manual reload via `ReloadCertificate()` (e.g., on SIGHUP)\n  - Client certificate loading for gRPC and TLS connections\n  - DNS-based SAN identity extraction with CN fallback (RFC 1123/6125)\n  - Flexible certificate fetching via majordomo service\n  - Thread-safe operations for concurrent access\n\nThis library is used by Attestant projects such as [Vouch](https://github.com/attestantio/vouch) (Ethereum validator client) and [Dirk](https://github.com/attestantio/dirk) (distributed remote keymanager) for certificate management in Ethereum staking infrastructure.\n\n## Package Overview\n\n| Package | Description |\n|---------|-------------|\n| `server/standard` | Server certificate manager with reload support |\n| `client/standard` | Client certificate manager with optional CA pool |\n| `credentials` | gRPC credential helpers (`NewGRPCClientCredentials`, `NewServerTLSConfig`) |\n| `san` | X.509 SAN identity extraction and DNS name validation |\n| `testing` | Pre-generated test certificates and mock majordomo |\n\n## Table of Contents\n\n- [go-certmanager](#go-certmanager)\n  - [Package Overview](#package-overview)\n  - [Table of Contents](#table-of-contents)\n  - [Requirements](#requirements)\n  - [Install](#install)\n  - [Usage](#usage)\n    - [Certificate Fetching](#certificate-fetching)\n    - [Server Certificate Management](#server-certificate-management)\n    - [Client Certificate Management](#client-certificate-management)\n    - [gRPC Credentials](#grpc-credentials)\n    - [SAN Extraction](#san-extraction)\n  - [Maintainers](#maintainers)\n  - [Contributing](#contributing)\n  - [License](#license)\n\n## Requirements\n\n- Go 1.25.5 or later\n- [go-majordomo](https://github.com/wealdtech/go-majordomo) for certificate fetching\n- [gRPC-Go](https://google.golang.org/grpc) (required by the `credentials` package)\n\n## Install\n\n`go-certmanager` is a standard Go module which can be installed with:\n\n```sh\ngo get github.com/attestantio/go-certmanager\n```\n\n## Usage\n\n### Certificate Fetching\n\nCertificate data is fetched via [go-majordomo](https://github.com/wealdtech/go-majordomo), which supports pluggable \"confidants\" for files, HTTP endpoints, secret vaults, etc. You must create a majordomo service and pass it to certificate managers via `WithMajordomo()`.\n\nSetting up a file-based majordomo service:\n\n```go\nimport (\n    \"github.com/wealdtech/go-majordomo\"\n    fsc \"github.com/wealdtech/go-majordomo/confidants/fs\"\n)\n\nconfidant, err := fsc.New(ctx)\nif err != nil {\n    return err\n}\n\nmajordomoSvc, err := majordomo.New(ctx,\n    majordomo.WithConfidants(map[string]majordomo.Confidant{\"file\": confidant}),\n)\nif err != nil {\n    return err\n}\n\n// Use majordomoSvc with certificate managers (see below)\n```\n\nCertificate URIs follow the majordomo format: `file:///path/to/cert.pem`, `https://vault.example.com/secret/cert`, etc.\n\n### Server Certificate Management\n\nThe server package provides certificate management for TLS servers with manual reloading capabilities. Use this for long-running services that need to reload certificates without restarting.\n\n```go\nimport servercert \"github.com/attestantio/go-certmanager/server/standard\"\n\ncertMgr, err := servercert.New(ctx,\n    servercert.WithMajordomo(majordomoSvc),\n    servercert.WithCertPEMURI(\"file:///path/to/server.crt\"),\n    servercert.WithCertKeyURI(\"file:///path/to/server.key\"),\n    servercert.WithLoadTimeout(30*time.Second), // Optional: timeout for certificate fetch operations\n)\nif err != nil {\n    return err\n}\n\n// Use in TLS server config\ntlsConfig, err := certMgr.GetTLSConfig(ctx)\n\n// Trigger reload (e.g., on SIGHUP)\nif err := certMgr.ReloadCertificate(ctx); err != nil {\n    log.Warn().Err(err).Msg(\"Certificate reload failed\")\n}\n```\n\nFor peer-to-peer scenarios where the same certificate is used for both server and client roles, use `GetClientTLSConfig()` to get a static certificate config suitable for client connections:\n\n```go\n// Use the same cert manager for client connections\nclientTLSConfig, err := certMgr.GetClientTLSConfig(ctx)\nconn, err := grpc.NewClient(\"peer:port\",\n    grpc.WithTransportCredentials(credentials.NewTLS(clientTLSConfig)))\n```\n\nThis is useful for peer-to-peer communication where a single certificate serves both roles.\n\n\u003e **Important:** `GetClientTLSConfig()` returns a point-in-time snapshot — it will **not** reflect subsequent `ReloadCertificate()` calls. After a SIGHUP reload, callers must re-fetch the client TLS config and re-establish connections, as gRPC does not support in-place credential replacement.\n\nRecommended pattern for SIGHUP handlers:\n\n```go\n// In your SIGHUP handler:\nif err := certMgr.ReloadCertificate(ctx); err != nil {\n    log.Warn().Err(err).Msg(\"Certificate reload failed\")\n    return\n}\n\n// Re-fetch client TLS config after successful reload\nnewClientTLSConfig, err := certMgr.GetClientTLSConfig(ctx)\nif err != nil {\n    log.Error().Err(err).Msg(\"Failed to get updated client TLS config\")\n    return\n}\n\n// gRPC does not support in-place credential replacement;\n// close and re-establish the connection with the new config.\noldConn.Close()\nconn, err = grpc.NewClient(\"peer:port\",\n    grpc.WithTransportCredentials(credentials.NewTLS(newClientTLSConfig)))\n```\n\n### Client Certificate Management\n\nThe client package provides certificate loading for client connections.\n\n```go\nimport clientcert \"github.com/attestantio/go-certmanager/client/standard\"\n\ncertMgr, err := clientcert.New(ctx,\n    clientcert.WithMajordomo(majordomoSvc),\n    clientcert.WithCertPEMURI(\"file:///path/to/client.crt\"),\n    clientcert.WithCertKeyURI(\"file:///path/to/client.key\"),\n    clientcert.WithCACertURI(\"file:///path/to/ca.crt\"),      // Optional: CA for server verification\n    clientcert.WithLoadTimeout(30*time.Second),               // Optional: timeout for certificate fetch operations\n)\nif err != nil {\n    return err\n}\n\n// Get TLS config for client connections\ntlsConfig, err := certMgr.GetTLSConfig(ctx)\n```\n\n### gRPC Credentials\n\nThe `credentials` package provides helpers for setting up TLS in gRPC services.\n\n**Client credentials** from a client certificate manager:\n\n```go\nimport (\n    clientcert \"github.com/attestantio/go-certmanager/client/standard\"\n    certcreds \"github.com/attestantio/go-certmanager/credentials\"\n)\n\nclientCertMgr, err := clientcert.New(ctx,\n    clientcert.WithMajordomo(majordomoSvc),\n    clientcert.WithCertPEMURI(\"file:///path/to/client.crt\"),\n    clientcert.WithCertKeyURI(\"file:///path/to/client.key\"),\n)\nif err != nil {\n    return err\n}\n\ncreds, err := certcreds.NewGRPCClientCredentials(ctx, clientCertMgr)\nif err != nil {\n    return err\n}\n\nconn, err := grpc.NewClient(\"server:9091\", grpc.WithTransportCredentials(creds))\n```\n\n**Server TLS with mutual authentication** (client certificate verification):\n\n```go\nimport (\n    servercert \"github.com/attestantio/go-certmanager/server/standard\"\n    certcreds \"github.com/attestantio/go-certmanager/credentials\"\n    grpccreds \"google.golang.org/grpc/credentials\"\n)\n\nserverCertMgr, err := servercert.New(ctx,\n    servercert.WithMajordomo(majordomoSvc),\n    servercert.WithCertPEMURI(\"file:///path/to/server.crt\"),\n    servercert.WithCertKeyURI(\"file:///path/to/server.key\"),\n)\nif err != nil {\n    return err\n}\n\ntlsCfg, err := certcreds.NewServerTLSConfig(ctx, serverCertMgr, caCertPEM)\nif err != nil {\n    return err\n}\n\ngrpcServer := grpc.NewServer(grpc.Creds(grpccreds.NewTLS(tlsCfg)))\n```\n\n### SAN Extraction\n\nThe san package extracts DNS-based identity from X.509 certificates with CN fallback. DNS names are validated against RFC 1123 and RFC 6125; invalid names are skipped.\n\n```go\nimport \"github.com/attestantio/go-certmanager/san\"\n\n// Extract primary identity from certificate\nidentity, source := san.ExtractIdentity(cert)\n// source indicates: IdentitySourceSANDNS, IdentitySourceCN, or IdentitySourceUnknown\n\n// Convenience wrapper that returns just the identity string\nname := san.IdentityString(cert)\n\n// Extract all DNS Subject Alternative Names (returned as a CertificateSANs struct)\nallSANs := san.ExtractAllSANs(cert)\n// Access: allSANs.DNSNames\n\n// Validate a DNS name against RFC 1123 and RFC 6125\nif err := san.ValidateDNSName(\"example.com\"); err != nil {\n    log.Error().Err(err).Msg(\"Invalid DNS name\")\n}\n```\n\n## Maintainers\n\n[@AntiD2ta](https://github.com/AntiD2ta)\n[@Bez625](https://github.com/Bez625)\n\n## Contributing\n\nContributions are welcome. Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n## License\n\n[Apache-2.0](LICENSE) - see [LICENSE](LICENSE) for the full text.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fattestantio%2Fgo-certmanager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fattestantio%2Fgo-certmanager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fattestantio%2Fgo-certmanager/lists"}