tcard/clientcert.go

## clientcert.go
package main

import (
	"crypto/tls"
	"crypto/x509"
	_ "embed"
	"fmt"
	"log"
	"net/http"
)

// From https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt
//go:embed fnmt.pem
var certPEM []byte

func main() {
	clientCA := x509.NewCertPool()
	if !clientCA.AppendCertsFromPEM(certPEM) {
		panic("bad PEM")
	}

	s := &http.Server{
		Addr: ":6387",
		TLSConfig: &tls.Config{
			ClientAuth: tls.RequireAndVerifyClientCert,
			ClientCAs:  clientCA,
		},

		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
			cert := req.TLS.PeerCertificates[0]
			w.Header().Set("Content-Type", "text/html; charset=utf-8")
			fmt.Fprintf(w, "¡Hola, <b>%s</b>!\n", cert.Subject.CommonName)
		}),
	}

	log.Println("Serving at", s.Addr)
	log.Fatal(s.ListenAndServeTLS(
		"/etc/letsencrypt/live/tcardenas.me/fullchain.pem",
		"/etc/letsencrypt/live/tcardenas.me/privkey.pem",
	))
}
	package main

	import (
	"crypto/tls"
	"crypto/x509"
	_ "embed"
	"fmt"
	"log"
	"net/http"
	)

	// From https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt
	//go:embed fnmt.pem
	var certPEM []byte

	func main() {
	clientCA := x509.NewCertPool()
	if !clientCA.AppendCertsFromPEM(certPEM) {
	panic("bad PEM")
	}

	s := &http.Server{
	Addr: ":6387",
	TLSConfig: &tls.Config{
	ClientAuth: tls.RequireAndVerifyClientCert,
	ClientCAs: clientCA,
	},

	Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
	cert := req.TLS.PeerCertificates[0]
	w.Header().Set("Content-Type", "text/html; charset=utf-8")
	fmt.Fprintf(w, "¡Hola, <b>%s</b>!\n", cert.Subject.CommonName)
	}),
	}

	log.Println("Serving at", s.Addr)
	log.Fatal(s.ListenAndServeTLS(
	"/etc/letsencrypt/live/tcardenas.me/fullchain.pem",
	"/etc/letsencrypt/live/tcardenas.me/privkey.pem",
	))
	}