Thanks for your reply, however as I stated it's company policy to have a passphrase, even our java. keystores have a passcode. Using other services or methods, or just not having a passcode -- Just not the way they want it done. I am not a part of the security team that makes this stuff up and you might as well try to get water to flow up hill to change policies. It is what it is, I gotta deal with it.
I have no problem writing this myself and I already have ideas on what I am going to do, but before I do that I thought I'd ask and see if anyone knew of a package, or some easier way that did this already. I've spent hours in the past writing code only to find later someone has written a great package that does what I need and more. Never hurts to ask right ;) On Friday, October 16, 2020 at 6:33:14 PM UTC-4 mar...@gmail.com wrote: > Having a passcode to protect a key file for a production service is > pointless, because you move the problem of storing the certificate securely > to the problem of storing the passcode securely, so might as well skip the > passcode and store the cert securely. > > Your certificate is probably encoded as a PEM cert, so you'd have to > manually call https://golang.org/pkg/crypto/x509/#DecryptPEMBlock and > provide a password, then construct your listener yourself using the > unmarshaled certificate. So, how are you going to protect this passcode? Is > someone going to have to provide it every time you start? > > Generally, in production systems, we use some kind of secret manager to > store that certificate, such as AWS Secrets Manager or encrypt it with KMS, > store it in Vault, etc. Ideally, you actually make a subordinate cert for > that service and rotate it at a reasonable interval. > > On Fri, Oct 16, 2020 at 2:06 PM Rich <rma...@gmail.com> wrote: > >> I don't know if we're the only company on the planet that demands the >> https keys have a passcode to them but I've been having a heck of a time >> trying to find a good way to serve https using a key with a passphrase. >> >> err := ListenAndServeTLS(addr, certFile, keyFile string >> <https://godoc.org/builtin#string>, handler Handler >> <https://godoc.org/net/http#Handler>) >> >> If they keyFile has a passcode this doesn't work and the examples I've >> seen take this one line and turn it into a much longer chunk of code. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/golang-nuts/c75fc8f6-abe4-4614-8281-cef4cb315ac3n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/golang-nuts/c75fc8f6-abe4-4614-8281-cef4cb315ac3n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/732f64f7-d4ae-49f3-be69-58a816005097n%40googlegroups.com.
