feat: Custom Certificate Upload & Management

[Wikid82]

Summary

Add full custom certificate upload, validation, and management to Charon. Users can upload PEM certificates and private keys, validate them before acceptance, view certificate chain details, export in multiple formats, and receive expiry warnings — all through the management UI.

Closes #22

---

What Changed

Backend (Go)

Certificate Service (certificate_service.go, certificate_validator.go)

• Upload with PEM parsing, chain validation, and domain extraction
• AES-encrypted private key storage (private_key_enc column, never plaintext at rest)
• Export in PEM and PKCS#12/PFX formats with optional password protection
• Certificate-in-use checks before deletion (linked proxy host validation)
• Expiry checking with configurable warning thresholds
• Migration utility to encrypt any legacy plaintext private keys
• Dedicated validator module with chain-of-trust verification and key-pair matching

API Handlers (certificate_handler.go)

• POST /certificates/upload — upload cert + optional key
• POST /certificates/validate — validate without persisting
• PUT /certificates/:id — update name/metadata
• GET /certificates/:id — fetch single certificate with chain info
• POST /certificates/:id/export — export as PEM or PFX
• DELETE /certificates/:id — delete with in-use guard

Caddy Integration (caddy/config.go, caddy/manager.go)

• Custom certificates are injected into Caddy TLS automation policies
• Proxy hosts referencing a custom certificate use it directly instead of ACME

Model (ssl_certificate.go)

• New fields: CertificateChain, KeyType, Issuer, Fingerprint, Domains
• PrivateKey excluded from GORM (gorm:"-"); only PrivateKeyEncrypted persists

Frontend (React/TypeScript)

New Components

• CertificateUploadDialog — drag-and-drop PEM file upload with real-time validation preview
• CertificateExportDialog — PEM/PFX export with optional password and key inclusion
• CertificateDetailDialog — full certificate details, chain viewer, and metadata
• CertificateChainViewer — visual intermediate/root chain display
• CertificateValidationPreview — pre-upload validation feedback
• FileDropZone — reusable accessible file drop target

Updated Components

• CertificateList — integrated upload, export, and detail actions
• CertificateStatusCard — domain-aware status badges
• ProxyHostForm — custom certificate selection in SSL configuration
• Certificates page — simplified with hook-based data flow

API Client (certificates.ts)

• New endpoints: uploadCertificate, validateCertificate, exportCertificate
• Updated deleteCertificate to accept UUID strings

Hook (useCertificates.ts)

• Added upload, validate, export actions
• Domain-to-certificate status mapping for proxy host integration

i18n (translation.json)

• 60+ new translation keys for certificate UI strings

Testing

Backend Unit Tests (125+ tests across 8 files)

• certificate_service_coverage_test.go — 33 subtests covering all service functions
• certificate_handler_coverage_test.go — 21 handler endpoint tests
• certificate_validator_test.go — chain, key-pair, and format validation
• certificate_handler_test.go / certificate_handler_security_test.go — updated for new routes

Frontend Unit Tests (14 test files)

• Dialog tests: upload, export, detail, delete, bulk delete, cleanup
• Component tests: chain viewer, validation preview, file drop zone, status card
• Hook tests: useCertificates lifecycle
• Page tests: corrected UUID-based deletion assertions, fixed mock property names

E2E Tests (Playwright)

• certificate-export.spec.ts — 14 end-to-end tests covering export dialog flows

Infrastructure

• Dockerfile: CVE-2026-40200 remediation (musl musl-utils in apk upgrade)
• package.json: Playwright @axe-core/playwright added for accessibility testing
• Dependencies: axios@1.15.0, vite@8.0.8 (security patches)

---

Acceptance Criteria Status

Criteria	Status
Can upload custom certificates	✅
Certificates validated before acceptance	✅
Private keys securely stored (AES encrypted)	✅
Expiry warnings work	✅
Certificate chain/intermediate support	✅
Certificate assignment to proxy hosts	✅
Certificate export (PEM, PFX)	✅
Certificate-in-use deletion guard	✅

---

Quality Gates

• Backend line coverage: 87.6% (gate: 87%)
• Frontend tests: all passing
• E2E Playwright: 14 export flow tests
• Security: Trivy, CodeQL, gosec, semgrep — zero critical/high
• Pre-commit: all 14 lefthook hooks passing

[codecov]

Codecov Report

❌ Patch coverage is 89.87430% with 145 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ckend/internal/api/handlers/certificate_handler.go	75.90%	42 Missing and 18 partials ⚠️
backend/internal/services/certificate_service.go	86.66%	44 Missing and 12 partials ⚠️
backend/internal/services/certificate_validator.go	95.25%	7 Missing and 6 partials ⚠️
...ackend/internal/api/handlers/proxy_host_handler.go	82.75%	4 Missing and 1 partial ⚠️
backend/internal/config/config.go	25.00%	2 Missing and 1 partial ⚠️
backend/internal/api/routes/routes.go	92.30%	1 Missing and 1 partial ⚠️
backend/internal/caddy/manager.go	33.33%	2 Missing ⚠️
...src/components/dialogs/CertificateUploadDialog.tsx	97.33%	1 Missing and 1 partial ⚠️
backend/cmd/api/main.go	75.00%	0 Missing and 1 partial ⚠️
frontend/src/pages/Dashboard.tsx	50.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

✅ Supply Chain Verification Results

✅ PASSED

📦 SBOM Summary

• Components: 1485

🔍 Vulnerability Scan

Severity	Count
🔴 Critical	0
🟠 High	0
🟡 Medium	4
🟢 Low	0
Total	4

📎 Artifacts

• SBOM (CycloneDX JSON) and Grype results available in workflow artifacts

---

_{Generated by Supply Chain Verification workflow • View Details}

[Copilot]

Pull request overview

Copilot reviewed 76 out of 80 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• frontend/package-lock.json: Language not supported

Comments suppressed due to low confidence (6)

backend/internal/services/certificate_validator.go:1

• In the DER key fallback path, if x509.ParseECPrivateKey fails the code returns an error wrapping err (from ParsePKCS8PrivateKey) instead of the last failure (err2). This can produce misleading errors and hides the actual parsing failure. Prefer returning/wrapping err2 (or the most relevant/last error) in that branch.
  frontend/src/components/ProxyHostForm.tsx:1
• This select still uses cert.id for the option value, but the certificate API changes in this PR emphasize UUID-based operations (and id is deprecated/optional in the type). If id is missing, multiple options will collapse to value=\"0\", breaking selection and submission. Use cert.uuid as the stable key/value (and update the proxy host API/contract to accept UUID), or guarantee that id is always provided by the certificates list endpoint and remove the ?? 0 fallback.
  backend/internal/services/certificate_validator_test.go:1
• The subtest name says "self-signed cert validates" but the assertion expects an error (and the inline comment explains why). Rename the test case to match the expected behavior (e.g., "self-signed cert fails chain validation without trusted root") to keep intent clear.
  package.json:1
• The added vitest version ^4.1.4 is not a version I’m aware of (as of my 2025-08 knowledge cutoff). Please double-check that this version exists in npm and aligns with your Vite/TypeScript setup; if not, pin to an available Vitest major that matches the repo’s tooling.
  frontend/src/components/CertificateList.tsx:1
• selectedIds now stores certificate UUID strings rather than numeric IDs. Renaming to something like selectedUuids (and corresponding setters) would reduce confusion and help prevent future misuse.
  backend/pkg/dnsprovider/custom/rfc2136_provider_test.go:1
• t.Fatal(...) already stops the test goroutine (via FailNow), so the return is redundant and adds noise. Consider removing the return unless it’s needed to satisfy a specific linter rule in this repo (in which case, documenting that rationale would help).

[Copilot]

Pull request overview

Copilot reviewed 91 out of 95 changed files in this pull request and generated 5 comments.

Files not reviewed (1)

• frontend/package-lock.json: Language not supported