Hey,

Im trying to build etcd-ca on Ubuntu Utopic with go 1.2.1:

go version go1.2.1 linux/amd64

and I get this error:

~/Development/workspace/etcd-ca$ ./build 
Building etcd-ca
# github.com/coreos/etcd-ca/pkix
src/github.com/coreos/etcd-ca/pkix/csr.go:89: undefined: x509.CertificateRequest

I am using golang from Ubuntu Repository. I found this issue (another repo) cloudflare/cfssl#36 where it says

Unfortunately, certificate requests were introduced in Go 1.3;

https://github.com/coreos/etcd-ca/blob/master/README.md#building the go Version should be changed from 1.2+ to 1.3+?

After update to go 1.4.1 and a new git clone everything works perfectly.

Do you accept PR if I refactor the build system to use godep?

Hej!

As discussed in etcd-io/etcd#971 certificates without IP SANs can fail SSL verifications when IPs are used as etcd peer addresses.

An easy way to work around this would be to let etcd-ca generate CSRs with IP SANs - that's not fun to do in OpenSSL directly (like most things, which I guess is why this project exists), so it would be nice to have it as a feature here instead.

//V

It would be handy to have the ability to invalidate/revoke a client certificate.

--- FAIL: TestWorkflow (9.44 seconds)
workflow_test.go:44: Received unexpected error: Outputting CA certificate body:
,

cloned the repository
ran build (which succeeded)
ran test (which failed)
bin/etcd-ca init (succeeded with empty passphrase)
bin/etcd-ca new-cert alice (succeeded with empty passphrase)
bin/etcd-ca sign alice (succeeded with empty passphrase)
bin/etcd-ca chain alice (succeeded)
bin/etcd-ca export alice (succeeded)

$ go get github.com/coreos/etcd-ca
package github.com/coreos/etcd-ca/third_party/code.google.com/p/go.crypto/ssh/terminal
imports github.com/coreos/etcd-ca/third_party/code.google.com/p/go.crypto/ssh/terminal
imports github.com/coreos/etcd-ca/third_party/code.google.com/p/go.crypto/ssh/terminal: cannot find package "github.com/coreos/etcd-ca/third_party/code.google.com/p/go.crypto/ssh/terminal" in any of:
/usr/local/Cellar/go/1.2/libexec/src/pkg/github.com/coreos/etcd-ca/third_party/code.google.com/p/go.crypto/ssh/terminal (from $GOROOT)
/Users/philips/coreos/etcd-go/src/github.com/coreos/etcd-ca/third_party/code.google.com/p/go.crypto/ssh/terminal (from $GOPATH)

I'm not sure if the upstream package for ssh/terminal needs to be updated, I was able to replace the lines in question with bufio.NewReader(os.Stdin).ReadLine() and build ...

> CD ./github.com/coreos/etcd-ca
> SET GOPATH=\USERS\Me\
> go build -o "C:\Users\Me\bin\etcd-ca.exe"
# github.com/coreos/etcd-ca/cmd
\Users\Michael Ryan\src\github.com\coreos\etcd-ca\cmd\util.go:32: undefined: terminal.ReadPassword
\Users\Michael Ryan\src\github.com\coreos\etcd-ca\cmd\util.go:37: undefined: terminal.ReadPassword
\Users\Michael Ryan\src\github.com\coreos\etcd-ca\cmd\util.go:51: undefined: terminal.ReadPassword

Brew has an update to date version of curl that can be used with TLS 1.2

It might make sense to just have a generic --san option to add more IPs / FQDNs to a CSR.

follow up #29

ECDSA support in a CA would be nice. :)

I tried building etcd-ca with the latest golang Docker images and got the following error: gopath/src/github.com/coreos/etcd-ca/cmd/util.go:11:2: code in directory /go/etcd-ca/gopath/src/github.com/coreos/etcd-ca/Godeps/_workspace/src/golang.org/x/crypto/ssh/terminal expects import "golang.org/x/crypto/ssh/terminal"

I'm using Ubuntu 12.04 on my laptop and building this kept failing because the Go version was go1

After I manually compiled the current Go version from googles mercurial repository it worked without problems.

I think it would make sense to document the minimum required go version to build this application as I spend a few hours figuring out what the problem is.

I'd expect a blank passphrase to not encrypt the .key file. Is that a bug or a feature ?

Created ca/key
Created ca/crt

It actually created:

$ ls -l .etcd-ca/
total 24
-r--r--r--  1 polvi  staff  1866 Mar 22 10:50 ca.crt
-r--------  1 polvi  staff     1 Mar 22 10:50 ca.crt.info
-r--------  1 polvi  staff  3311 Mar 22 10:50 ca.priv.key

I'm getting bad certificate errors when I try to enable peer SSL. Can you guys please document the certificate requirements for peer ssl?

Currently I have certs that have CN=10.10.10.1 I don't know if it's failing because the CN doesn't match the ETCD_NAME=test.example.com or if its because the X509v3 Extended Key Usage: TLS Web Server Authentication rather than TLS Web Server Authentication, TLS Web Client Authentication as created by etcd-ca.

Note: I'm not using etcd-ca to create the certs as I have existing CA creation scripts/tools.

It would be great if there was a header or title that told you what was being output of the chain command:

Outputting CA certificate body:
----BEGIN CERTIFICATE-----
MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
...

For some reason, etcd-ca can't stat the file it created.

Generate certs:

root@0947d9ea9a4d:/go/etcd-ca/bin# ./etcd-ca new-cert --organization "MyOrg" --country "US" --ip 10.0.0.10 server1.mydomain.com
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******
Created server1.mydomain.com/key
Created server1.mydomain.com/crt

Go ahead and sign the cert:

root@0947d9ea9a4d:/go/etcd-ca/bin# ./etcd-ca sign server1.mydomain.com
Get CA certificate error: stat /go/etcd-ca/bin/.etcd-ca/ca.crt: no such file or directory

root@0947d9ea9a4d:/go/etcd-ca/bin# pwd
/go/etcd-ca/bin

root@0947d9ea9a4d:/go/etcd-ca/bin# ls -al .etcd-ca/
total 24
drwxr-xr-x 2 root root 4096 Apr 13 15:44 .
drwxr-xr-x 3 root root 4096 Apr 13 15:30 ..
-r--r--r-- 1 root root 1708 Apr 13 15:44 server1.mydomain.com.host.csr
-r--r----- 1 root root 3311 Apr 13 15:44 server1.mydomain.com.host.key
root@0947d9ea9a4d:/go/etcd-ca/bin#

root@0947d9ea9a4d:/go/etcd-ca/bin# go version
go version go1.4.2 linux/amd64
root@0947d9ea9a4d:/go/etcd-ca/bin#