英文:
PKI infrastructure
问题
如何使用golang的.x509包简单建立证书链?假设我需要自签名的CA证书和由CA签发的服务器证书。当我使用以下代码时:
x509.CreateCertificate(rand.Reader, &issuer, &issuer, publicKeyIssuer, privateKeyIssuer)
然后再使用以下代码:
x509.CreateCertificate(rand.Reader, &subject, &issuer, publicKeySubject, privateKeyIssuer)
但是它不起作用。证书被创建了,但当服务器将其发送给浏览器时,浏览器无法看到从服务器到CA的路径。
如果我使用openssl为服务器创建证书请求,然后再创建证书,就一切正常:
openssl req -key server.key -new -out server.req -sha256
openssl x509 -req -in server.req -CA ca.crt -CAkey ca.key -out server.crt
我知道有x509.CreateCertificateRequest函数,但我不知道如何将请求与证书的创建关联起来。我做错了什么,或者对x509.CreateCertificate函数了解不够?
英文:
How to establish simply chain using golang .x509 package?
Let say I need self-signed CA certificate and certificate for server issued by CA.
When I use
x509.CreateCertificate(rand.Reader, &issuer, &issuer, publicKeyIssuer, privateKeyIssuer)
then
x509.CreateCertificate(rand.Reader, &subject, &issuer, publicKeySubject, privateKeyIssuer)
it doesn't work. Certificate is created and when server sends it to a browser the browser doesn't see path from server to ca.
If I use openssl and create certificate request for server and then certificate then it's all good
openssl req -key server.key -new -out server.req -sha256
openssl x509 -req -in server.req -CA ca.crt -CAkey ca.key -out server.crt
I know that there is x509.CreateCertificateReuest but I don't now how to link request with creating of certificate?
What I am doing wrong or may be don't now much about x509.CreateCertificate?
答案1
得分: 1
在提问之前,我需要了解的内容是:http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf
CA证书中的主题(Subject)和服务器证书中的颁发者(Issuer)的DN名称必须相同。但是主题和颁发者的DN名称不能相等。DN构成了颁发者和主题之间的链接。
在我的情况下,我只使用了O=Organization字段:
ca := x509.Certificate{
Subject: pkix.Name{
Organization: []string{"O"},
}
}
server := x509.Certificate{
Subject: pkix.Name{
Organization: []string{"O"},
}
}
颁发者和主题的DN是相同的。这就是为什么浏览器无法找到路径。可以简单地向pkix添加更多信息,例如CommonName,以使DN唯一。
ca := x509.Certificate{
Subject: pkix.Name{
CommonName: []string{"CA"},
Organization: []string{"XUnit"},
}
}
server := x509.Certificate{
Subject: pkix.Name{
CommonName: []string{"server"},
Organization: []string{"XUnit"},
}
}
英文:
What I had to know before ask question <http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf>
DN names (Subject in CA certificate and Issuer in server certificate) must be the same. But DN names of subject and issuer must no be equal. DN's make up the link between Issuer and Subject.
In my case I used only O=Organization filed in
ca := x509.Certificate{
Subject: pkix.Name{
Organization: []string{"O"},
}
}
server := x509.Certificate{
Subject: pkix.Name{
Organization: []string{"O"},
}
}
DN's are the same for the issuer and for the subject.That is why browser can't find path. It is simply to add more info to pkix, for example, CommonName. It will make the DN unique.
ca := x509.Certificate{
Subject: pkix.Name{
CommonName: []string{"CA"},
Organization: []string{"XUnit"},
}
}
server := x509.Certificate{
Subject: pkix.Name{
CommonName: []string{"server"},
Organization: []string{"XUnit"},
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论