-
-
Save michaljemala/d6f4e01c4834bf47a9c4 to your computer and use it in GitHub Desktop.
package main | |
import ( | |
"crypto/tls" | |
"crypto/x509" | |
"flag" | |
"io/ioutil" | |
"log" | |
"net/http" | |
) | |
var ( | |
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.") | |
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.") | |
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.") | |
) | |
func main() { | |
flag.Parse() | |
// Load client cert | |
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile) | |
if err != nil { | |
log.Fatal(err) | |
} | |
// Load CA cert | |
caCert, err := ioutil.ReadFile(*caFile) | |
if err != nil { | |
log.Fatal(err) | |
} | |
caCertPool := x509.NewCertPool() | |
caCertPool.AppendCertsFromPEM(caCert) | |
// Setup HTTPS client | |
tlsConfig := &tls.Config{ | |
Certificates: []tls.Certificate{cert}, | |
RootCAs: caCertPool, | |
} | |
tlsConfig.BuildNameToCertificate() | |
transport := &http.Transport{TLSClientConfig: tlsConfig} | |
client := &http.Client{Transport: transport} | |
// Do GET something | |
resp, err := client.Get("https://goldportugal.local:8443") | |
if err != nil { | |
log.Fatal(err) | |
} | |
defer resp.Body.Close() | |
// Dump response | |
data, err := ioutil.ReadAll(resp.Body) | |
if err != nil { | |
log.Fatal(err) | |
} | |
log.Println(string(data)) | |
} |
.pem ?
May I know how to generate these 3 configuration .pem files?
@SrinivasChilveri To generate self sigend .pem files run this
go run $GOROOT/src/crypto/tls/generate_cert.go
It will generate key.pem
and cert.pem
for you.
Does this require ssl renegotiation?
how to get/generate ca.pem file for testing purpose
@unknownsuperuser No, renegotiation is not required for this, nor is it implemented in Golang.
@adisheshsm Technically you don't need a CA.pem for client TLS authentication. You can get an exemplary full tree using my script, which you can download here: https://gist.github.com/wmark/c758ce1c2b8222afd69d (top right, »download ZIP«).
Just remember: Don't use golang for authentication using DH/RSA. (Writing this at a time when 1.6 is the most recent version.)
Amazing! Thank you!
good read, Thanks
nqs erro: certificate signed by unknown authority
Thank you!
Can someone tell me what these 3 vars are made of exactly exactly?
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
I don't understand if these are supposed to be paths to pem files or what.
@antman1p most likely the path to the .pem files to be used as command line arguments. Something like <command> -cert=<path> -key=<path> -CA=<path>
Very nice snippet thank you !
It simply works as expected, thank you!
perfect, just what I need. Many Thanks.
If I don't have access to the file system, how can I pass three pem files in text format and use in this program? (Instead of loading certificates from a file, I have three strings in pem format)
@willyhsiung Use https://golang.org/pkg/crypto/tls/#X509KeyPair instead of tls.LoadX509KeyPair.
Very useful! Help me save a lot time!
Why doesn't the extra comma on line 38 cause an issue?
This is the way the go parser works, you must add an ending comma or put the closing brace at the end of the line
Hi All,
I am quite new to golang.
I want to make a post request with .pfx certificate. Any leads will be extremely helpful.
You should be able to use https://pkg.go.dev/golang.org/x/crypto/pkcs12, e.g. like this:
pfxData, err := ioutil.ReadFile(*pfxFile)
if err != nil {
log.Fatal(err)
}
blocks, err := pkcs12.ToPEM(pfxData, "SOME_PASSWORD") // Change according to your setup
if err != nil {
log.Fatal(err)
}
var pemData []byte
for _, b := range blocks {
pemData = append(pemData, pem.EncodeToMemory(b)...)
}
cert, err := tls.X509KeyPair(pemData, pemData)
// then just use the `cert` as per the snippet
Alternatively, convert pfx to pem using openssl pkcs12
.
Why do we have to use the client cert
in the gist? Does it allow the server to verify the client? Will the client private key information will be sent to the server too? Thanks in advance.
// Load client cert
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
log.Fatal(err)
}
Why do we have to use the client
cert
in the gist? Does it allow the server to verify the client? Will the client private key information will be sent to the server too? Thanks in advance.// Load client cert cert, err := tls.LoadX509KeyPair(*certFile, *keyFile) if err != nil { log.Fatal(err) }
It is not necessary in most cases. Some clients uses cert/key pair for authenication. When you don't or cannot use this feature of TLS, then you can create tlsConfig
without cert
// Setup HTTPS client
tlsConfig := &tls.Config{
RootCAs: caCertPool,
}
BTW: it seems that BuildNameToCertificate()
is deprecated now (go 1.19.3). See: https://pkg.go.dev/crypto/tls#Config.BuildNameToCertificate
It looks like that you can just skip this call to let the library select the first compatible chain from tlsConfig.Certificates
.
You should be able to use https://pkg.go.dev/golang.org/x/crypto/pkcs12, e.g. like this:
pfxData, err := ioutil.ReadFile(*pfxFile) if err != nil { log.Fatal(err) } blocks, err := pkcs12.ToPEM(pfxData, "SOME_PASSWORD") // Change according to your setup if err != nil { log.Fatal(err) } var pemData []byte for _, b := range blocks { pemData = append(pemData, pem.EncodeToMemory(b)...) } cert, err := tls.X509KeyPair(pemData, pemData) // then just use the `cert` as per the snippetAlternatively, convert pfx to pem using
openssl pkcs12
.
Also worth noting that for .pfx
and the password way you would need the below. Just wanted to add more.
encoding/pem
golang.org/x/crypto/pkcs12
What should be the file extensions for the certificate, key, and CA file?