Skip to content

feat(tunnel): Add certificate enrollment after domain join (T-5.3)#97

Merged
obtFusi merged 1 commit intomainfrom
feature/t-5.3-cert-enrollment
Jan 24, 2026
Merged

feat(tunnel): Add certificate enrollment after domain join (T-5.3)#97
obtFusi merged 1 commit intomainfrom
feature/t-5.3-cert-enrollment

Conversation

@obtFusi
Copy link
Copy Markdown
Collaborator

@obtFusi obtFusi commented Jan 24, 2026

Summary

  • Add certificate enrollment functionality for AD CS integration after domain join
  • Validate machine certificates (SAN DNSNames, expiry, renewal threshold)
  • Generate PowerShell enrollment script using certreq.exe
  • Monitor certificate expiry for proactive renewal

Changes

  • client/internal/tunnel/certenroll.go - Certificate enrollment and validation
  • client/internal/tunnel/certenroll_test.go - 32 comprehensive tests

Key Functions

  • ValidateMachineCertificate() - Validates machine cert for mTLS
  • GenerateCertEnrollmentScript() - PowerShell AD CS enrollment
  • ParseCertificateFile() - Extract cert info
  • NeedsRenewal() - Check if renewal needed (30-day threshold)
  • WatchCertificateExpiry() - Background expiry monitor
  • ExtractIssuerFingerprint() - mTLS issuer verification

Test Plan

  • All 32 cert enrollment tests pass
  • All 33 bootstrap/domainjoin tests pass
  • Windows cross-compilation succeeds
  • Manual test on Windows VM (after merge)

Checklist

  • Code follows project conventions
  • Tests added/updated
  • Documentation is not needed

Closes T-5.3
Refs #7

🤖 Generated with Claude Code

@obtFusi @claude
feat(tunnel): Add certificate enrollment after domain join (T-5.3)
66218ea 
- Add ValidateMachineCertificate() for machine cert validation
- Add GenerateCertEnrollmentScript() for AD CS enrollment via certreq
- Add ParseCertificateFile() for cert info extraction
- Add NeedsRenewal() for certificate renewal detection
- Add WatchCertificateExpiry() for proactive renewal monitoring
- Add ExtractIssuerFingerprint() for mTLS issuer verification
- 32 tests covering all cert validation scenarios

Validates:
- SAN DNSNames (not CN!) matching hostname.domain format
- Certificate expiry and minimum validity
- Renewal threshold (30 days before expiry)
- Case-insensitive hostname matching
- Certificate chain for issuer fingerprint

Closes T-5.3

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions github-actions Bot added the type:feature New feature label Jan 24, 2026
@obtFusi obtFusi merged commit f8641ac into main Jan 24, 2026
46 of 50 checks passed
@obtFusi obtFusi deleted the feature/t-5.3-cert-enrollment branch January 24, 2026 19:19
@obtFusi obtFusi mentioned this pull request Jan 24, 2026
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:feature New feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@obtFusi