Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SSL Client Authentication Golang sample
package main
import (
"crypto/tls"
"crypto/x509"
"flag"
"io/ioutil"
"log"
"net/http"
)
var (
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
)
func main() {
flag.Parse()
// Load client cert
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
log.Fatal(err)
}
// Load CA cert
caCert, err := ioutil.ReadFile(*caFile)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Setup HTTPS client
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
// Do GET something
resp, err := client.Get("https://goldportugal.local:8443")
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
// Dump response
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Fatal(err)
}
log.Println(string(data))
}
@Xeoncross
Copy link

Xeoncross commented Jan 8, 2015

If you name it ____.go gist will highlight the code for you.

@kentoj
Copy link

kentoj commented May 21, 2015

Why doesn't the extra comma on line 38 cause an issue?

@mholt
Copy link

mholt commented May 26, 2015

@kentoj That's correct Go syntax. Omitting the comma will cause a parse error.

Copy link

ghost commented Aug 27, 2015

What should be the file extensions for the certificate, key, and CA file?

@magiconair
Copy link

magiconair commented Nov 1, 2015

.pem ?

@SrinivasChilveri
Copy link

SrinivasChilveri commented Nov 15, 2015

May I know how to generate these 3 configuration .pem files?

@gernest
Copy link

gernest commented Jan 5, 2016

@SrinivasChilveri To generate self sigend .pem files run this

go run $GOROOT/src/crypto/tls/generate_cert.go

It will generate key.pem and cert.pem for you.

@unknownsuperuser
Copy link

unknownsuperuser commented Jan 8, 2016

Does this require ssl renegotiation?

@adisheshsm
Copy link

adisheshsm commented Jan 17, 2016

how to get/generate ca.pem file for testing purpose

@wmark
Copy link

wmark commented Feb 14, 2016

@unknownsuperuser No, renegotiation is not required for this, nor is it implemented in Golang.

@adisheshsm Technically you don't need a CA.pem for client TLS authentication. You can get an exemplary full tree using my script, which you can download here: https://gist.github.com/wmark/c758ce1c2b8222afd69d (top right, »download ZIP«).

Just remember: Don't use golang for authentication using DH/RSA. (Writing this at a time when 1.6 is the most recent version.)

@brandong954
Copy link

brandong954 commented Jul 28, 2016

Amazing! Thank you!

@VimleshS
Copy link

VimleshS commented Aug 30, 2016

good read, Thanks

@denofiend
Copy link

denofiend commented Oct 13, 2016

nqs erro: certificate signed by unknown authority

@jeyaramashok
Copy link

jeyaramashok commented Dec 9, 2016

Thank you!

@antman1p
Copy link

antman1p commented Feb 13, 2017

Can someone tell me what these 3 vars are made of exactly exactly?
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")

I don't understand if these are supposed to be paths to pem files or what.

@AlexGoja
Copy link

AlexGoja commented Mar 27, 2017

@antman1p most likely the path to the .pem files to be used as command line arguments. Something like <command> -cert=<path> -key=<path> -CA=<path>

@duckie
Copy link

duckie commented Mar 2, 2018

Very nice snippet thank you !

@davenemeth
Copy link

davenemeth commented Apr 5, 2018

It simply works as expected, thank you!

@lummie
Copy link

lummie commented Dec 13, 2019

perfect, just what I need. Many Thanks.

@willyhsiung
Copy link

willyhsiung commented Jan 29, 2020

If I don't have access to the file system, how can I pass three pem files in text format and use in this program? (Instead of loading certificates from a file, I have three strings in pem format)

@michaljemala
Copy link
Author

michaljemala commented Jan 29, 2020

@willyhsiung Use https://golang.org/pkg/crypto/tls/#X509KeyPair instead of tls.LoadX509KeyPair.

@kongpingfan
Copy link

kongpingfan commented Aug 6, 2020

Very useful! Help me save a lot time!

@dgsb
Copy link

dgsb commented Aug 19, 2020

Why doesn't the extra comma on line 38 cause an issue?

This is the way the go parser works, you must add an ending comma or put the closing brace at the end of the line

@SouravKabiraj
Copy link

SouravKabiraj commented Jan 6, 2021

Hi All,
I am quite new to golang.
I want to make a post request with .pfx certificate. Any leads will be extremely helpful.

@michaljemala
Copy link
Author

michaljemala commented Jan 10, 2021

Hi @SouravKabiraj

You should be able to use https://pkg.go.dev/golang.org/x/crypto/pkcs12, e.g. like this:

pfxData, err := ioutil.ReadFile(*pfxFile)
if err != nil {
	log.Fatal(err)
}
blocks, err := pkcs12.ToPEM(pfxData, "SOME_PASSWORD") // Change according to your setup
if err != nil {
	log.Fatal(err)
}
var pemData []byte
for _, b := range blocks {
	pemData = append(pemData, pem.EncodeToMemory(b)...)
}
cert, err := tls.X509KeyPair(pemData, pemData)

// then just use the `cert` as per the snippet

Alternatively, convert pfx to pem using openssl pkcs12.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment