feat: makes leaf optional and other changes. (#1931)

* feat: makes leaf optional and other changes.

Signed-off-by: ianhundere <[email protected]>

* docs: updates docs.

Signed-off-by: ianhundere <[email protected]>

* chore: adds default path certmaker certs to make file.

Signed-off-by: ianhundere <[email protected]>

* chore: adds fb.

Signed-off-by: ianhundere <[email protected]>

* refactor: simplifies kmsconfig.

Signed-off-by: ianhundere <[email protected]>

* chore: fixes tests.

Signed-off-by: ianhundere <[email protected]>

---------

Signed-off-by: ianhundere <[email protected]>

.gitignore

@@ -41,4 +41,4 @@ hack/tools/bin
 
 # macOS
 .DS_Store
-fulcio-certificate-maker
+certificate-maker

Makefile

@@ -78,15 +78,18 @@ fulcio: $(SRCS) ## Build Fulcio for local tests
 	go build -trimpath -ldflags "$(LDFLAGS)"
 
 cert-maker: ## Build the Fulcio Certificate Maker tool
-	go build -trimpath -ldflags "$(LDFLAGS)" -o fulcio-certificate-maker ./cmd/certificate_maker
+	go build -trimpath -ldflags "$(LDFLAGS)" -o certificate-maker ./cmd/certificate_maker
 
 test: ## Runs go test
 	go test ./...
 
 clean: ## Clean the workspace
 	rm -rf dist
 	rm -rf fulcio
-	rm -rf fulcio-certificate-maker
+	rm -rf certificate-maker
+	rm -rf root.pem
+	rm -rf intermediate.pem
+	rm -rf leaf.pem
 
 clean-gen: clean
 	rm -rf $(shell find pkg/generated -iname "*.go") *.swagger.json

README.md

@@ -77,10 +77,13 @@ mygUY7Ii2zbdCdliiow=
 
 ### Certificate Maker
 
-The Fulcio's Certificate Maker is a tool for creating Fulcio compliant certificate chains. It supports:
+Certificate Maker is a tool for creating [Fulcio compliant certificate chains](docs/certificate-specification.md). It supports:
 
-* Two-level chains (root -> leaf)
-* Three-level chains (root -> intermediate -> leaf)
+* Two-level chains:
+  * root → leaf
+  * root → intermediate
+* Three-level chains:
+  * root → intermediate → leaf
 * Multiple KMS providers (AWS, Google Cloud, Azure, HashiCorp Vault)
 
 For detailed usage instructions and examples, see the [Certificate Maker documentation](docs/certificate-maker.md).

cmd/certificate_maker/certificate_maker.go

@@ -18,7 +18,6 @@
 package main
 
 import (
-	"context"
 	"fmt"
 	"os"
 	"strings"
@@ -38,7 +37,7 @@ var (
 	version string
 
 	rootCmd = &cobra.Command{
-		Use:     "fulcio-certificate-maker",
+		Use:     "certificate-maker",
 		Short:   "Create certificate chains for Fulcio",
 		Long:    `A tool for creating root, intermediate, and leaf certificates for Fulcio with code signing capabilities`,
 		Version: version,
@@ -50,7 +49,7 @@ var (
 		Long: `Create a certificate chain with the specified common name.
 The common name will be used as the Subject Common Name for the certificates.
 If no common name is provided, the values from the templates will be used.
-Example: fulcio-certificate-maker create "https://fulcio.example.com"`,
+Example: certificate-maker create "https://fulcio.example.com"`,
 		Args: cobra.RangeArgs(0, 1),
 		RunE: runCreate,
 	}
@@ -137,8 +136,6 @@ func init() {
 
 func runCreate(_ *cobra.Command, args []string) error {
 	defer func() { rootCmd.SilenceUsage = true }()
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
 
 	// Get common name from args if provided, otherwise templates used
 	var commonName string
@@ -148,12 +145,10 @@ func runCreate(_ *cobra.Command, args []string) error {
 
 	// Build KMS config from flags and environment
 	config := certmaker.KMSConfig{
-		CommonName:        commonName,
-		Type:              viper.GetString("kms-type"),
-		RootKeyID:         viper.GetString("root-key-id"),
-		IntermediateKeyID: viper.GetString("intermediate-key-id"),
-		LeafKeyID:         viper.GetString("leaf-key-id"),
-		Options:           make(map[string]string),
+		CommonName: commonName,
+		Type:       viper.GetString("kms-type"),
+		KeyID:      viper.GetString("root-key-id"),
+		Options:    make(map[string]string),
 	}
 
 	// Handle KMS provider options
@@ -186,11 +181,6 @@ func runCreate(_ *cobra.Command, args []string) error {
 		}
 	}
 
-	km, err := certmaker.InitKMS(ctx, config)
-	if err != nil {
-		return fmt.Errorf("failed to initialize KMS: %w", err)
-	}
-
 	// Get template paths
 	rootTemplate := viper.GetString("root-template")
 	intermediateTemplate := viper.GetString("intermediate-template")
@@ -213,14 +203,15 @@ func runCreate(_ *cobra.Command, args []string) error {
 		}
 	}
 
-	return certmaker.CreateCertificates(km, config,
+	return certmaker.CreateCertificates(config,
 		rootTemplate,
 		leafTemplate,
 		viper.GetString("root-cert"),
 		viper.GetString("leaf-cert"),
 		viper.GetString("intermediate-key-id"),
 		viper.GetString("intermediate-template"),
 		viper.GetString("intermediate-cert"),
+		viper.GetString("leaf-key-id"),
 		viper.GetDuration("root-lifetime"),
 		viper.GetDuration("intermediate-lifetime"),
 		viper.GetDuration("leaf-lifetime"))

docs/certificate-maker.md

@@ -1,11 +1,8 @@
-# Fulcio Certificate Maker
+# Certificate Maker
 
-This tool creates root, intermediate (optional), and leaf certificates for Fulcio ([certificate requirements](certificate-specification.md)):
+This tool creates certificates (root, intermediate, and leaf) that meet Fulcio's ([certificate requirements](certificate-specification.md)).
 
-- Two-level chain (root -> leaf)
-- Three-level chain (root -> intermediate -> leaf)
-
-Relies on [x509util](https://pkg.go.dev/go.step.sm/crypto/x509util) which builds X.509 certificates from JSON templates. The tool includes embedded default templates that are compiled into the binary, making it ready to use without external template files.
+It relies on [x509util](https://pkg.go.dev/go.step.sm/crypto/x509util) which builds X.509 certificates from JSON templates. The tool includes embedded default templates that are compiled into the binary, making it ready to use without external template files.
 
 ## Requirements
 
@@ -18,7 +15,7 @@ Build the binary:
 
 ```bash
 make cert-maker
-./fulcio-certificate-maker --help
+./certificate-maker --help
 ```
 
 ## Usage
@@ -30,30 +27,35 @@ The tool can be configured using either command-line flags or environment variab
 The `create` command accepts an optional positional argument for the common name:
 
 ```bash
-fulcio-certificate-maker create [common-name]
+./certificate-maker create [common-name]
 ```
 
 If no common name is provided, the values from the templates will be used.
 
 Available flags:
 
 - `--kms-type`: KMS provider type (awskms, gcpkms, azurekms, hashivault)
+
 - `--root-key-id`: KMS key identifier for root certificate
+- `--intermediate-key-id`: KMS key identifier for intermediate certificate
 - `--leaf-key-id`: KMS key identifier for leaf certificate
+
 - `--aws-region`: AWS region (required for AWS KMS)
 - `--azure-tenant-id`: Azure KMS tenant ID
 - `--gcp-credentials-file`: Path to credentials file (for Google Cloud KMS)
 - `--vault-address`: HashiCorp Vault address
 - `--vault-token`: HashiCorp Vault token
+
 - `--root-template`: Path to root certificate template
-- `--leaf-template`: Path to leaf certificate template
+- `--root-lifetime`: Root certificate lifetime (default: 87600h, 10 years)
 - `--root-cert`: Output path for root certificate (default: root.pem)
-- `--leaf-cert`: Output path for leaf certificate (default: leaf.pem)
-- `--intermediate-key-id`: KMS key identifier for intermediate certificate
+
 - `--intermediate-template`: Path to intermediate certificate template
 - `--intermediate-cert`: Output path for intermediate certificate
-- `--root-lifetime`: Root certificate lifetime (default: 87600h, 10 years)
 - `--intermediate-lifetime`: Intermediate certificate lifetime (default: 43800h, 5 years)
+
+- `--leaf-template`: Path to leaf certificate template
+- `--leaf-cert`: Output path for leaf certificate (default: leaf.pem)
 - `--leaf-lifetime`: Leaf certificate lifetime (default: 8760h, 1 year)
 
 ### Environment Variables
@@ -261,7 +263,7 @@ Certificate:
 Example with AWS KMS:
 
 ```bash
-fulcio-certificate-maker create "https://fulcio.example.com" \
+./certificate-maker create "https://fulcio.example.com" \
   --kms-type awskms \
   --aws-region us-east-1 \
   --root-key-id alias/fulcio-root \
@@ -275,7 +277,7 @@ fulcio-certificate-maker create "https://fulcio.example.com" \
 Example with Azure KMS:
 
 ```bash
-fulcio-certificate-maker create "https://fulcio.example.com" \
+./certificate-maker create "https://fulcio.example.com" \
   --kms-type azurekms \
   --azure-tenant-id 1b4a4fed-fed8-4823-a8a0-3d5cea83d122 \
   --root-key-id "azurekms:name=sigstore-key;vault=sigstore-key" \
@@ -292,7 +294,7 @@ fulcio-certificate-maker create "https://fulcio.example.com" \
 Example with GCP KMS:
 
 ```bash
-fulcio-certificate-maker create "https://fulcio.example.com" \
+./certificate-maker create "https://fulcio.example.com" \
   --kms-type gcpkms \
   --gcp-credentials-file ~/.config/gcloud/application_default_credentials.json \
   --root-key-id  projects/<project_id>/locations/<location>/keyRings/<keyring>/cryptoKeys/fulcio-key1/cryptoKeyVersions/<version> \
@@ -309,7 +311,7 @@ fulcio-certificate-maker create "https://fulcio.example.com" \
 Example with HashiCorp Vault KMS:
 
 ```bash
-fulcio-certificate-maker create "https://fulcio.example.com" \
+./certificate-maker create "https://fulcio.example.com" \
   --kms-type hashivault \
   --vault-address http://vault:8200 \
   --vault-token token \