Added support for setting serial number (#17)

README.md

@@ -158,6 +158,7 @@ Writing state: certs.state
 | ca | Set certificate is / is not CA. If `ca` is not defined, `true` is set by default for self-signed certificates. | `true` or  `false` |
 | not_before | Certificate is not valid before this time ([RFC3339 timestamp](https://tools.ietf.org/html/rfc3339)) | `2020-01-01T09:00:00Z` |
 | not_after | Certificate is not valid after this time ([RFC3339 timestamp](https://tools.ietf.org/html/rfc3339)) | `2020-01-01T09:00:00Z` |
+| serial | Serial number for the certificate. Default value is current time in nanoseconds. | `123` |
 
 ## Go API
 

certificate.go

@@ -87,6 +87,10 @@ type Certificate struct {
 	// Default value is current time +  Expires if NotAfter is undefined (when value is nil)
 	NotAfter *time.Time `json:"not_after"`
 
+	// SerialNumber defines serial number for the certificate.
+	// If not set, the default value is current time in nanoseconds.
+	SerialNumber *big.Int `json:"-" hash:"-"`
+
 	// GeneratedCert is a pointer to the generated certificate and private key.
 	// It is automatically set after calling any of the Certificate functions.
 	GeneratedCert *tls.Certificate `json:"-" hash:"-"`
@@ -230,6 +234,10 @@ func (c *Certificate) defaults() error {
 		}
 	}
 
+	if c.SerialNumber == nil {
+		c.SerialNumber = big.NewInt(time.Now().UnixNano())
+	}
+
 	return nil
 }
 
@@ -305,7 +313,7 @@ func (c *Certificate) Generate() error {
 	name, _ := x500dn.ParseDN(c.Subject)
 
 	template := &x509.Certificate{
-		SerialNumber:          big.NewInt(time.Now().UnixNano()),
+		SerialNumber:          c.SerialNumber,
 		Subject:               *name,
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,

certificate_test.go

@@ -22,6 +22,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"io/ioutil"
+	"math/big"
 	"net"
 	"net/url"
 	"os"
@@ -331,3 +332,20 @@ func TestRegenerate(t *testing.T) {
 	assert.NotEqual(t, old.Certificate, new.Certificate)
 	assert.NotEqual(t, old.PrivateKey, new.PrivateKey)
 }
+
+func TestSerial(t *testing.T) {
+	serial := big.NewInt(123)
+	input := Certificate{Subject: "CN=Joe", SerialNumber: serial}
+	got, err := input.X509Certificate()
+	assert.Nil(t, err)
+	assert.Equal(t, serial, got.SerialNumber)
+
+	// Check that unique serial is generated by default.
+	input1 := Certificate{Subject: "CN=Joe"}
+	input2 := Certificate{Subject: "CN=Joe"}
+	got1, err := input1.X509Certificate()
+	assert.Nil(t, err)
+	got2, err := input2.X509Certificate()
+	assert.Nil(t, err)
+	assert.NotEqual(t, got1.SerialNumber, got2.SerialNumber)
+}

internal/manifest/manifest.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"math/big"
 	"os"
 	"path"
 	"path/filepath"
@@ -56,6 +57,7 @@ type CertificateManifest struct {
 	ExpiresAsString      string   `json:"expires"`
 	IssuerAsString       string   `json:"issuer"`
 	Filename             string   `json:"filename"`
+	SerialNumberAsInt    *int64   `json:"serial"`
 }
 
 func (c *CertificateManifest) hash() string {
@@ -205,6 +207,10 @@ func (m *Manifest) processCertificate(c *CertificateManifest) error {
 		c.ExtKeyUsage = usage
 	}
 
+	if c.SerialNumberAsInt != nil {
+		c.SerialNumber = big.NewInt(*c.SerialNumberAsInt)
+	}
+
 	// Try to load previously generated certificate and key, which might not exists, so ignore errors.
 	certOnDisk, err := tls.LoadX509KeyPair(path.Join(m.dataDir, c.Filename+".pem"), path.Join(m.dataDir, c.Filename+"-key.pem"))
 	if err == nil {

internal/manifest/manifest_test.go

@@ -22,6 +22,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"io/ioutil"
+	"math/big"
 	"net"
 	"net/url"
 	"os"
@@ -234,4 +235,6 @@ func TestParsingAllCertificateFields(t *testing.T) {
 	assert.Empty(t, got.DNSNames)
 	assert.Empty(t, got.URIs)
 	assert.Empty(t, got.IPAddresses)
+
+	assert.Equal(t, big.NewInt(123), got.SerialNumber)
 }

internal/manifest/testdata/certs-test-all-fields.yaml

@@ -41,3 +41,4 @@ subject: cn=ec-cert
 key_size: 256
 not_before: 2020-01-01T09:00:00Z
 expires: 1h
+serial: 123