How do you build a tls.Certficate chain in Go?

huangapple go评论87阅读模式
英文:

How do you build a tls.Certficate chain in Go?

问题

我正在尝试配置一个TLS服务器,在连接时返回一个证书

我想创建一个tls.Config,其中包含一个证书

// Certificates contains one or more certificate chains
// to present to the other side of the connection.
// Server configurations must include at least one certificate
// or else set GetCertificate.
Certificates []Certificate

假设我的链是root -> inter -> server,我可以独立加载每个证书,并使用一个列表,但只有serverCert被发送到SSL客户端。

我正在按照以下方式进行操作:

root, err := tls.LoadX509KeyPair("root.crt", "root.key")
inter, err := tls.LoadX509KeyPair("inter.crt", "inter.key")
server, err := tls.LoadX509KeyPair("server.crt", "server.key")

config := tls.Config{
   Certificates: []tls.Certificates{root, inter, server}
}
config.BuildNameFromCertificates()

我是否漏掉了一些明显的东西?顺序是否重要?

英文:

I'm trying to configure a TLS server to return a Certificate chain on connection.

I want to create a tls.Config, with a Certificate chain :

> // Certificates contains one or more certificate chains
> // to present to the other side of the connection.
> // Server configurations must include at least one certificate
> // or else set GetCertificate.
> Certificates []Certificate

Assuming my chain is root -> inter -> server, I can load each certificate independently, and use a list, but only serverCert is sent to the SSL client.

I'm doing something along the lines of :

root, err := tls.LoadX509KeyPair("root.crt", "root.key")
inter, err := tls.LoadX509KeyPair("inter.crt", "inter.key")
server, err := tls.LoadX509KeyPair("server.crt", "server.key")

config := tls.Config{
   Certificates : []tls.Certificates{root, inter, server}
}
config.BuildNameFromCertificates()

Am I missing something obvious ? Does the order matter ?

答案1

得分: 4

你的 server.crt 文件可以包含整个证书链(同时你不希望服务器拥有中间证书或根证书的私钥)。在 server.crt 文件中,你可以包含以下内容:

-----BEGIN CERTIFICATE-----
[服务器证书]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[中间证书]
-----END CERTIFICATE-----

根证书不应该包含在从服务器提供的证书链中,只包含服务器证书和中间证书。

英文:

your server.crt file can contain the entire chain [plus you don't want your server to have the inter or root keys], in server.crt you can have

-----BEGIN CERTIFICATE-----
[server cert]
-----END CERT-----
 ----BEGIN CERTIFICATE-----
[inter cert]
-----END CERT-----

The root cert shouldn't be in the chain served from the server, just the server + intermediate

展开收缩
.

huangapple
  • 本文由 发表于 2016年12月1日 23:34:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/40914640.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定