Sorry, I should have mentioned that the primary goal here is to generate certificates for the specific purpose of client authentication.
On Wednesday, August 17, 2016 at 10:01:01 AM UTC-6, Josh V wrote: > > Hi all, > > I'm trying to come up with an example of how to create SSL certificates > and keys from start to finish (including CertificateRequests) all using Go. > I'll go ahead and get the obligatory "I'm pretty new to SSL" disclaimer out > of the way... I've played with > https://golang.org/src/crypto/tls/generate_cert.go quite a bit trying to > understand what all needs to happen, but that program doesn't cover some > cases I'd like to get working. Here's what I would like to build: > > - Server piece > - Generates a new private > - Generates a new x509.Certificate (with IsCA: true) using the new > private key > - Write both the cert and key to disk > - Spin up an HTTP server to accept CSR->Certificate requests > - Spin up an HTTPS server to accept requests from clients to test > their newly generated certificates > - Client piece > - Generates a new private key > - Creates a x509.CertificateRequest > - POSTs the CertificateRequest off to the server's HTTP piece > - Receives a response containing the client's fresh Certificate > - Writes both the cert and the key to disk > - Successfully connects to the server's HTTPS piece using the newly > generated certificate > > I've been working on a project that basically does (or tries to do) all of > this, and things were looking promising for a while. I have (I guess what > you'd call) a "root CA" cert/key that are used to create new client > certificates from CSRs. The resulting client certificate, client key, and > CA certificate connect to my server piece just fine when I use curl. But > when I try to use those same files in the Go client, I get an "x509: > certificate signed by unknown authority" error. I've tried as many > variations on the tls.Config.ClientCAs and RootCAs as I can think of. > Nothing seems to be just right, so I'm obviously missing something. > > I've tried to whittle my project down to the basic concepts described > above, which can be found at > https://gist.github.com/codekoala/c793f020c27bded785fb39f0f2594ee2 ... I > apologize in advance--it is horrendous code with lots of copy pasta and > unhandled error cases. I just need to get this out there. If anyone can > muster up the courage to take a peek at that gist and offer suggestions for > how to achieve what I've described, please do. > > I realize most people will immediately suggest "just use openssl on the > command line" to get past these hurdles. I could certainly do that, but I'd > prefer to keep it all in the standard library, if at all possible. Also, > from my research, it seems like I should be making a root CA and then an > intermediate CA that is used to process the actual CSRs and such. If anyone > can offer insight into the correct way to do that with Go, I'm all eyes. > > Thanks! > > - Josh > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
