You can take a look at https://github.com/perillo/tls-cert
Manlio Il giorno mercoledì 17 agosto 2016 18:58:18 UTC+2, Mi-e Foame ha scritto: > > Sorry, I should have mentioned that the primary goal here is to generate > certificates for the specific purpose of client authentication. > > On Wednesday, August 17, 2016 at 10:01:01 AM UTC-6, Josh V wrote: >> >> Hi all, >> >> I'm trying to come up with an example of how to create SSL certificates >> and keys from start to finish (including CertificateRequests) all using Go. >> I'll go ahead and get the obligatory "I'm pretty new to SSL" disclaimer out >> of the way... I've played with >> https://golang.org/src/crypto/tls/generate_cert.go quite a bit trying to >> understand what all needs to happen, but that program doesn't cover some >> cases I'd like to get working. Here's what I would like to build: >> >> - Server piece >> - Generates a new private >> - Generates a new x509.Certificate (with IsCA: true) using the new >> private key >> - Write both the cert and key to disk >> - Spin up an HTTP server to accept CSR->Certificate requests >> - Spin up an HTTPS server to accept requests from clients to test >> their newly generated certificates >> - Client piece >> - Generates a new private key >> - Creates a x509.CertificateRequest >> - POSTs the CertificateRequest off to the server's HTTP piece >> - Receives a response containing the client's fresh Certificate >> - Writes both the cert and the key to disk >> - Successfully connects to the server's HTTPS piece using the >> newly generated certificate >> >> I've been working on a project that basically does (or tries to do) all >> of this, and things were looking promising for a while. I have (I guess >> what you'd call) a "root CA" cert/key that are used to create new client >> certificates from CSRs. The resulting client certificate, client key, and >> CA certificate connect to my server piece just fine when I use curl. But >> when I try to use those same files in the Go client, I get an "x509: >> certificate signed by unknown authority" error. I've tried as many >> variations on the tls.Config.ClientCAs and RootCAs as I can think of. >> Nothing seems to be just right, so I'm obviously missing something. >> >> I've tried to whittle my project down to the basic concepts described >> above, which can be found at >> https://gist.github.com/codekoala/c793f020c27bded785fb39f0f2594ee2 ... I >> apologize in advance--it is horrendous code with lots of copy pasta and >> unhandled error cases. I just need to get this out there. If anyone can >> muster up the courage to take a peek at that gist and offer suggestions for >> how to achieve what I've described, please do. >> >> I realize most people will immediately suggest "just use openssl on the >> command line" to get past these hurdles. I could certainly do that, but I'd >> prefer to keep it all in the standard library, if at all possible. Also, >> from my research, it seems like I should be making a root CA and then an >> intermediate CA that is used to process the actual CSRs and such. If anyone >> can offer insight into the correct way to do that with Go, I'm all eyes. >> >> Thanks! >> >> - Josh >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
