如何为ListenAndServeTLS函数提供CA证书?

huangapple go评论91阅读模式
英文:

How to provide CA certs for ListenAndServeTLS function

问题

在文档中写道:

“ListenAndServeTLS的功能与ListenAndServe完全相同,只是它期望HTTPS连接。此外,必须提供包含服务器证书和匹配私钥的文件。如果证书由证书颁发机构签名,certFile应该是服务器证书、任何中间证书和CA证书的串联。”

然而,我几乎不理解串联中间证书的实际含义。有人可以给我一个例子吗?提前谢谢。

顺便说一下,我不想在tls.Config中加载CA证书,这肯定可以正常工作;)

英文:

It says that in the docs

"ListenAndServeTLS acts identically to ListenAndServe, except that it expects HTTPS connections. Additionally, files containing a certificate and matching private key for the server must be provided. If the certificate is signed by a certificate authority, the certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate."

Yet i can barely understand what concatenation and intermediates actually mean.
Could anyone please kindly give me an example? Thanks in advance.

Btw, i don't wanna load CA cert in the tls.Config, which works well definitely;)

答案1

得分: 2

之前的回答没有解决任何问题。最简单的方法是将您的证书(而不是私钥,出于明显的原因!)上传到certificatechain.io

另一种选择是向您的CA请求ca-bundle,然后按照以下方式连接:

-----BEGIN CERTIFICATE-----
您的证书
您的证书
您的证书
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
一些中间证书
一些中间证书
一些中间证书
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
另一个中间证书
另一个中间证书
另一个中间证书
另一个中间证书
-----END CERTIFICATE-----

请注意顺序很重要。一旦您拥有这个文件,您可以在ServeAndListenTLS()中使用“新证书”。

英文:

The previous answer didn't resolve any problem. The easiest way is uploading your cert (your certificate, not your private key, for obvious reason!) to certificatechain.io.

Another alternative is simple request the ca-bundle to your CA, then you will concatenate as follows:

-----BEGIN CERTIFICATE-----
YOUR CERT
YOUR CERT
YOUR CERT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
SOME INTERMEDIATE CERT
SOME INTERMEDIATE CERT
SOME INTERMEDIATE CERT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ANOTHER INTERMEDIATE CERT
ANOTHER INTERMEDIATE CERT
ANOTHER INTERMEDIATE CERT
ANOTHER INTERMEDIATE CERT
-----END CERTIFICATE-----

Note that the order matters. Once you have this file in hands you can use the "new certificate" in the ServeAndListenTLS().

答案2

得分: 0

这是一个细节问题,只需忽略它,并按照文档中的说明添加你的cert.pemkey.pem文件。它讨论了如何将证书链接在一起,以便从根证书到中间证书传递信任。所有这些都是有关公钥基础设施(PKI)工作原理的细节,只要你不搞乱证书和密钥文件,就不必担心。

你知道,你的浏览器知道PayPal实际上是PayPal,是通过验证PayPal的证书是否由你的计算机信任的根证书签名的来实现的。在这种情况下,Symantec签署了该证书。

可以创建中间证书颁发机构。例如,最安全的CA实际上并不直接将服务器与根证书连接到互联网;所有内容都是由中间证书颁发机构签署的,而这些中间证书颁发机构本身又由根证书签署。如果一个中间CA被黑客攻击,Symantec可以更容易地撤销由该CA签署的所有证书,而不是建立一个新的公钥设置。

你的浏览器可以信任PayPal,因为它是由Symantec的一个中间CA签署的。该中间CA的证书是由Symantec的根CA签署的。

英文:

That's a minor detail, just ignore it and add your cert.pem and key.pem file like the docs say. It's talking about how you can "chain" (concatenate) certificates together to transfer trust from the root certificate to intermediate certificates. All of this is details of how PKI works, and you don't have to worry as long as you aren't messing with the cert and key files.

You see, the way your browser knows PayPal is actually PayPal is by verifying that PayPal's certificate was signed by a root certificate trusted by your computer. In this case, Symantec signed the certificate.

Intermediate certificate authorities can be made. For example, the most secure CAs don't actually hook the server with the root certificate to the internet; everything is signed with intermediate certificate authorities that have themselves signed by the root certificate. If an intermediate CA got hacked, Symantec could then revoke all the certificates signed by that CA a lot easier than getting a new public key setup.

Your browser can trust PayPal because it was signed by an intermediate CA of Symantec. The intermediate CA's certificate was signed by the root CA of Symantec.

huangapple
  • 本文由 发表于 2016年1月9日 11:02:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/34689277.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定