`func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error` would
previously return an error even if passed the correct private key for a
CA certificate `nc`.
That function has been updated to support CA certificates, and
nebula-cert now calls it before signing a new certificate. Previously,
it would perform all constraint checks against the CA certificate
provided, take a SHA256 fingerprint of the provided certificate, insert
it into the new node certificate, and then finally sign it with the
mismatching private key provided.
* fix: nebula-cert duration is optional, so reflect this is the cli help
nebula-cert sign defaults the duration flag to 1 second before the CA expires, so it is not required to be provided.
* tests: Fix test for duration flag help message
* nebula-cert: add duration default value hint
This fixes a couple issues:
- NoSuchFileError not defined for darwin.
- ca_test and sign_test do a bunch of filesystem specific tests that
error differently on Windows. Just disable these tests on Windows for
now.
- Make the signcert test more deterministic by only testing one existing
file at a time.
Nate Brown