From 244b839f9813ae68c5527e6aadadaff0642c1a00 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Tue, 31 Mar 2020 17:56:36 -0600
Subject: pki: Add trust subcommand to install root cert (closes #3204)

---
 modules/caddypki/command.go | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

(limited to 'modules/caddypki/command.go')

diff --git a/modules/caddypki/command.go b/modules/caddypki/command.go
index 9276fcb..9117f3f 100644
--- a/modules/caddypki/command.go
+++ b/modules/caddypki/command.go
@@ -15,6 +15,7 @@
 package caddypki
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -26,6 +27,25 @@ import (
 )
 
 func init() {
+	caddycmd.RegisterCommand(caddycmd.Command{
+		Name:  "trust",
+		Func:  cmdTrust,
+		Short: "Installs a CA certificate into local trust stores",
+		Long: `
+Adds a root certificate into the local trust stores. Intended for
+development environments only.
+
+Since Caddy will install its root certificates into the local trust
+stores automatically when they are first generated, this command is
+only necessary if you need to pre-install the certificates before
+using them; for example, if you have elevated privileges at one
+point but not later, you will want to use this command so that a
+password prompt is not required later.
+
+This command installs the root certificate only for Caddy's
+default CA.`,
+	})
+
 	caddycmd.RegisterCommand(caddycmd.Command{
 		Name:  "untrust",
 		Func:  cmdUntrust,
@@ -57,6 +77,30 @@ If no flags are specified, --ca=local is assumed.`,
 	})
 }
 
+func cmdTrust(fs caddycmd.Flags) (int, error) {
+	// we have to create a sort of dummy context so that
+	// the CA can provision itself...
+	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
+	defer cancel()
+
+	// provision the CA, which generates and stores a root
+	// certificate if one doesn't already exist in storage
+	ca := CA{
+		storage: caddy.DefaultStorage,
+	}
+	err := ca.Provision(ctx, defaultCAID, caddy.Log())
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, err
+	}
+
+	err = ca.installRoot()
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, err
+	}
+
+	return caddy.ExitCodeSuccess, nil
+}
+
 func cmdUntrust(fs caddycmd.Flags) (int, error) {
 	ca := fs.String("ca")
 	cert := fs.String("cert")
-- 
cgit v1.2.3