Certificate Generator

We need a peer service in auditor tls cert agent config. This page describes the protocol used to communicate with that peer service.

The peer service should listen on a UDP port over either IPv4 or IPv6. vey-proxy sends requests to that port.

Each UDP packet sent by vey-proxy contains exactly one request, and each UDP packet returned by the peer service should contain exactly one response.

Both requests and responses are structured data encoded in msgpack format.

The top-level object in both the request and the response must be a map. Keys may be either string keys or numeric key IDs. The supported fields are described below.

request

host

required, id: 1, type: string

The hostname of the target TLS server. It may be either a domain name or an IP address.

service

optional, id: 2, type: string | u8

The TLS service type. The same value should be echoed back in the response.

default: http

Added in version 1.9.0.

usage

optional, id: 4, type: string | u8

Set the tls certificate usage type. It should be returned in response.

default: tls_server

Added in version 1.9.1.

cert

optional, id: 3, type: pem string or der binary

The real upstream leaf certificate, in either PEM string format or DER binary format.

Added in version 1.9.0.

response

host

required, id: 1, type: string

The hostname provided in the request.

service

optional, id: 2, type: string | u8

The TLS service type. It should be the same value that was sent in the request.

default: http

Added in version 1.9.0.

usage

optional, id: 6, type: string | u8

The TLS certificate usage type. It should be the same value that was sent in the request.

default: tls_server

Added in version 1.9.1.

cert

required, id: 3, type: pem string

The generated interception certificate chain in PEM format.

key

required, id: 4, type: pem string or der binary

The generated private key, in either PEM string format or DER binary format.

ttl

optional, id: 5, type: u32

The TTL for this response.

If the value is 0, the protective cache ttl configuration is used.

Note

Expired records remain cached for a short additional period before being removed. See cache_vanish_wait for details.

default: 0