Add support for dynamic set of sub CAs

handlers/registry.go

@@ -122,8 +122,8 @@ func (registry *SigningRequestRegistry) sign(request *SigningRequestAttributes)
 	time.Sleep(5 * time.Second)
 
 	opensslCommand := exec.Command(
-		"openssl", "ca", "-config", "ca.cnf",
+		"openssl", "ca", "-config", "ca.cnf", "-name", "email_ca",
-		"-policy", "policy_match", "-extensions", "client_ext",
+		"-policy", "policy_match", "-extensions", "email_ext",
 		"-batch", "-subj", subjectDN, "-utf8", "-rand_serial", "-in", csrFile.Name())
 	var out, cmdErr bytes.Buffer
 	opensslCommand.Stdout = &out

main.go

@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strings"
 	"syscall"
 	"time"
@@ -47,7 +48,6 @@ func main() {
 		CipherSuites: []uint16{
 			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 		},
 		NextProtos:               []string{"h2"},
 		PreferServerCipherSuites: true,
@@ -124,8 +124,12 @@ func generateRandomBytes(count int) []byte {
 
 func loadCACertificates() (caCertificates []*x509.Certificate) {
 	var err error
-	caCertificates = make([]*x509.Certificate, 2)
+	caFiles, err := filepath.Glob("example_ca/*/ca.crt.pem")
-	for index, certFile := range []string{"example_ca/sub/ca.crt.pem", "example_ca/root/ca.crt.pem"} {
+	if err != nil {
+		log.Panic(err)
+	}
+	caCertificates = make([]*x509.Certificate, len(caFiles))
+	for index, certFile := range caFiles {
 		var certBytes []byte
 		if certBytes, err = ioutil.ReadFile(certFile); err != nil {
 			log.Panic(err)