feat: adds cert-utility templates and documentation.

[ianhundere]

closes #886, closes sigstore/fulcio#1930

Summary

currently, there is no standard method for creating cert chains for fulcio or tsa. the community has used an assortment of open source scripts/tools, but i thought it would be nice to have a small cloud agnostic go app to create/sign (via awskms, gcpkms, or azurekms) certificates. the smallstep crypto library is fairly comprehensive in its kms/cert capabilities.

@haydentherapper / @bobcallaway gave the go ahead in proceeding w/ this work.

Release Note

• Adds certificate utility to create and sign certificates via AWS KMS, Google Cloud KMS, or Azure Key Vault.

Documentation

added docs to ./docs folder and updated README.md to point to docs.

[ianhundere]

i think this is ready for 👀 now. just a couple of notes.

1. the following use-cases are now covered:

• root ca -> leaf
• root ca -> intermediate ca -> leaf

2. the following kms providers are working:

• awskms
• azurekms
• gcpkms

3. hashivault was added, but has not been tested.

i think that about covers it, i have some basic readme/documentation above as well.

cc @haydentherapper

[codecov]

Codecov Report

Attention: Patch coverage is 62.22910% with 244 lines in your changes missing coverage. Please review.

Project coverage is 47.47%. Comparing base (6fd19b0) to head (5d442d2).
Report is 276 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/certmaker/certmaker.go	46.68%	166 Missing and 43 partials ⚠️
cmd/certificate_maker/certificate_maker.go	82.69%	25 Missing and 2 partials ⚠️
pkg/certmaker/template.go	91.83%	7 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #889      +/-   ##
==========================================
- Coverage   52.85%   47.47%   -5.38%     
==========================================
  Files          20       58      +38     
  Lines        1209     4303    +3094     
==========================================
+ Hits          639     2043    +1404     
- Misses        509     2076    +1567     
- Partials       61      184     +123     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

Related to the comment I just left on the other PR, I wonder if we can reduce duplication between these two. The only difference between the two is 1) the templates, and 2) that the TSA needs a leaf certificate and Fulcio doesn't.

In the Fulcio codebase, could we have certificate_maker have leaf be optional? Then in this repo, just have a readme pointing to the fulcio codebase and the templates for the TSA?

[ianhundere]

reduce duplication between these two.

yeah, that's what i was thinking / i think that totally works.

so just to reiterate / instead of allowing intermediate keys be optional, we just allow leafs to be optional, correct ?

heh, it's the end of the day here and i didn't connect the dots.

[haydentherapper]

Roots are always required, intermediates are optional, and leafs are optional (for a CA vs TSA).

[ianhundere]

Roots are always required, intermediates are optional, and leafs are optional (for a CA vs TSA).

perfect / should i create a new issue in fulcio for this work or ?

[haydentherapper]

Feel free to just create a PR in Fulcio making the leaf optional, then update this PR to be just the templates plus README. Thanks!

[ianhundere]

this is ready for 👀

cc @haydentherapper