Allow multiple client certs so we can provide a chain

openziti · Nov 11, 2022 · 0f7a28d · 0f7a28d
1 parent d88accb
commit 0f7a28d
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/token.go b/token.go
@@ -86,7 +86,7 @@ func LoadClientIdentity(certPath, keyPath, caCertPath string) (*TokenId, error)
 	}
 }
 
-func NewClientTokenIdentity(clientCert *x509.Certificate, privateKey crypto.PrivateKey, caCerts []*x509.Certificate) *TokenId {
+func NewClientTokenIdentity(clientCerts []*x509.Certificate, privateKey crypto.PrivateKey, caCerts []*x509.Certificate) *TokenId {
 	pool := x509.NewCertPool()
 
 	for _, ca := range caCerts {
@@ -97,14 +97,15 @@ func NewClientTokenIdentity(clientCert *x509.Certificate, privateKey crypto.Priv
 		Config:   Config{},
 		certLock: sync.RWMutex{},
 		cert: &tls.Certificate{
-			Certificate: [][]byte{
-				clientCert.Raw,
-			},
-			Leaf:       clientCert,
+			Leaf:       clientCerts[0],
 			PrivateKey: privateKey,
 		},
 		ca: pool,
 	}
 
+	for _, cert := range clientCerts {
+		id.cert.Certificate = append(id.cert.Certificate, cert.Raw)
+	}
+
 	return NewIdentity(id)
 }