SSL Client Authentication Golang sample

tls-client.go

package main

import (
	"crypto/tls"
	"crypto/x509"
	"flag"
	"io/ioutil"
	"log"
	"net/http"
)

var (
	certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
	keyFile  = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
	caFile   = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
)

func main() {
	flag.Parse()

	// Load client cert
	cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
	if err != nil {
		log.Fatal(err)
	}

	// Load CA cert
	caCert, err := ioutil.ReadFile(*caFile)
	if err != nil {
		log.Fatal(err)
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	// Setup HTTPS client
	tlsConfig := &tls.Config{
		Certificates: []tls.Certificate{cert},
		RootCAs:      caCertPool,
	}
	tlsConfig.BuildNameToCertificate()
	transport := &http.Transport{TLSClientConfig: tlsConfig}
	client := &http.Client{Transport: transport}

	// Do GET something
	resp, err := client.Get("https://goldportugal.local:8443")
	if err != nil {
		log.Fatal(err)
	}
	defer resp.Body.Close()

	// Dump response
	data, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		log.Fatal(err)
	}
	log.Println(string(data))
}

If you name it ____.go gist will highlight the code for you.

Why doesn't the extra comma on line 38 cause an issue?

@kentoj That's correct Go syntax. Omitting the comma will cause a parse error.

What should be the file extensions for the certificate, key, and CA file?

.pem ?

May I know how to generate these 3 configuration .pem files?

@SrinivasChilveri To generate self sigend .pem files run this

go run $GOROOT/src/crypto/tls/generate_cert.go

It will generate key.pem and cert.pem for you.

Does this require ssl renegotiation?

how to get/generate ca.pem file for testing purpose

@unknownsuperuser No, renegotiation is not required for this, nor is it implemented in Golang.

@adisheshsm Technically you don't need a CA.pem for client TLS authentication. You can get an exemplary full tree using my script, which you can download here: https://gist.github.com/wmark/c758ce1c2b8222afd69d (top right, »download ZIP«).

Just remember: Don't use golang for authentication using DH/RSA. (Writing this at a time when 1.6 is the most recent version.)

Amazing! Thank you!

good read, Thanks

nqs erro: certificate signed by unknown authority

Thank you!

Can someone tell me what these 3 vars are made of exactly exactly?
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")

I don't understand if these are supposed to be paths to pem files or what.

@antman1p most likely the path to the .pem files to be used as command line arguments. Something like <command> -cert=<path> -key=<path> -CA=<path>

Very nice snippet thank you !

It simply works as expected, thank you!

What if the key is password protected ?