Skip to content

expose signer key id argument in zts-svccert utility #3099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
psasidhar merged 2 commits into from
Oct 10, 2025
Merged

expose signer key id argument in zts-svccert utility #3099

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f6110d0
expose signer key id argument in zts-svccert utility
havetisyan Oct 10, 2025
ae4c636
address review comments
havetisyan Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions utils/zts-svccert/zts-svccert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,21 +59,21 @@ func usage() {
fmt.Println("")
fmt.Println("Request Service Identity Certificate using Registered Public/Private Key Pair:")
fmt.Println("")
fmt.Println(" zts-svccert -zts <zts-server-url> -private-key <private-key-path> -key-version <private-key-version> -hdr <credential-header-name> [-provider <provider-name>[ <service-details> [-instance <instance-id>] <certificate-details>")
fmt.Println(" zts-svccert -zts <zts-server-url> -private-key <private-key-path> -key-version <private-key-version> -hdr <credential-header-name> <service-details> <certificate-details> [-provider <provider-name> -instance <instance-id>]")
fmt.Println("")
fmt.Println("Request Service Identity Certificate Signing Request (CSR) Only:")
fmt.Println("")
fmt.Println(" zts-svccert -csr -private-key <private-key-path> [-provider <provider-name>] <service-details> [-instance <instance-id>] <certificate-details>")
fmt.Println(" zts-svccert -csr -private-key <private-key-path> <service-details> <certificate-details> [-provider <provider-name> -instance <instance-id>]")
fmt.Println("")
fmt.Println("Request Service Identity Certificate using Provided Attestation Data:")
fmt.Println("")
fmt.Println(" zts-svccert -private-key <private-key-path> -attestation-data <attestation-data-file> [-hdr <credential-header-name>] [-provider <provider-name>] <service-details> [-instance <instance-id>] <certificate-details>")
fmt.Println(" zts-svccert -private-key <private-key-path> -attestation-data <attestation-data-file> <service-details> <certificate-details> [-hdr <credential-header-name>] [-provider <provider-name> -instance <instance-id>]")
fmt.Println("")
fmt.Println("Common parameters:")
fmt.Println("")
fmt.Println(" <service-details> := -domain <domain-name> -service <service-name>")
fmt.Println("")
fmt.Println(" <certificate-details> := -dns-domain <san-dns-domain-component> [-signer-cert-file <cert-output-file>] [-spiffe] [-expiry-time <mins>] [-sub-c <subject country>] [-sub-o <subject org] [-sub-ou <subject orgunit] [-ip <san-ip-address>] [-signer-cert-file <root-ca-output-file>]")
fmt.Println(" <certificate-details> := -dns-domain <san-dns-domain-component> [-signer-cert-file <ca-cert-output-file>] [-spiffe] [-expiry-time <mins>] [-sub-c <subject country>] [-sub-o <subject org>] [-sub-ou <subject orgunit>] [-ip <san-ip-address>] [-signer-key-id <key-id>]")
fmt.Println("")
fmt.Println(" <principal-credentials> := -svc-key-file <private-key-file> -svc-cert-file <service-cert-file> [-cacert <ca-cert-file>] |")
fmt.Println(" -ntoken-file <ntoken-file> [-hdr <auth-header-name>] [-cacert <ca-cert-file>]")
Expand All @@ -82,7 +82,7 @@ func usage() {
}

func main() {
var ztsURL, serviceKey, serviceCert, domain, service, keyID string
var ztsURL, serviceKey, serviceCert, domain, service, keyID, signerKeyID string
var caCertFile, certFile, signerCertFile, dnsDomain, hdr, ip string
var subjC, subjO, subjOU, uri, provider, instance, instanceId string
var svcKeyFile, svcCertFile, ntokenFile, attestationDataFile, spiffeTrustDomain string
Expand Down Expand Up @@ -116,6 +116,7 @@ func main() {
flag.StringVar(&svcCertFile, "svc-cert-file", "", "service identity certificate file")
flag.BoolVar(&showVersion, "version", false, "Show version")
flag.StringVar(&spiffeTrustDomain, "spiffe-trust-domain", "", "Trust Domain value to be included in spiffe uri")
flag.StringVar(&signerKeyID, "signer-key-id", "", "Certificate Signer Key id to use to sign the certificate")
flag.Parse()

if showVersion {
Expand Down Expand Up @@ -281,6 +282,9 @@ func main() {
AttestationData: attestationData,
Csr: csrData,
}
if signerKeyID != "" {
req.X509CertSignerKeyId = zts.SimpleName(signerKeyID)
}

// request a tls certificate for this service
identity, _, err := client.PostInstanceRegisterInformation(req)
Expand All @@ -299,6 +303,9 @@ func main() {
KeyId: keyID,
ExpiryTime: &expiryTime32,
}
if signerKeyID != "" {
req.X509CertSignerKeyId = zts.SimpleName(signerKeyID)
}

// request a tls certificate for this service
identity, err := client.PostInstanceRefreshRequest(zts.CompoundName(domain), zts.SimpleName(service), req)
Expand Down
Loading