Moin,

I've been wrestling with a library - march_hare - for a while. I need to provide TLS certificates to march_hare, so march_hare can connect to a TLS secured RabbitMQ instance in order to do messaging stuff.

In order to generate these certs from Hashicorp Vault, we have written a small internal tool called the certdeployer. This tool uses the vault API on one side and has a config files to write the certificates into files in pretty much whatever format we need - encoding/pem in three files (ca/key/cert), key and cert bundled, pkcs8, and so on.

This library is used (very successfully) to generate PKCS12 Keystores and Truststores for our java applications via the Encode and EncodeTrustEntries functions and then they can connect to postgres/rabbitmq/whatever.

However, march_hare is throwing a new wrench into the gears, because march_hare does not use a keystore and a truststore like many other applications. Instead, march hare wants one PKCS12 keystore, which in turn contains one key/cert safebag, and one trust-entry safebag with the CA.

Now after some back and forth I kinda bit the bullet and setup a quick and dirty PoC on a fork of kinda merging Encode and EncodeTrustEntries and this results in a keystore that actually works fine, at least in the keystore explorer. You can find the current kludge here:

https://github.com/Tetha/go-pkcs12/blob/combined-key-and-trust-store/pkcs12_combined.go

And like the biggest ordeal in this process was getting the two safebag lists appended right here:

https://github.com/Tetha/go-pkcs12/blob/combined-key-and-trust-store/pkcs12_combined.go#L124

Now, what I'd like to know from you is if you want this merged? If you do, I'd have to clean the code up a little, probably by extracting the safebag creations into reusable functions and adding a few tests. Things like that.

Just did some further testing, and the resulting keystore can indeed be loaded by march hare and functions correctly as a trust- and keystore at the same time.