可以使用Go语言创建X509KeyPair并使用RSA密钥。

huangapple go评论94阅读模式
英文:

golang, can i create X509KeyPair using rsa key?

问题

我正在尝试按照这篇博客Secure gRPC with TLS/SSL上的指示创建带有双向TLS的gRPC连接,但我不想创建证书并将其保存到磁盘上的文件中,我希望服务本身创建其密钥,然后证书颁发机构的密钥将在其他地方获取(我计划使用Google PKI作为CA)。

到目前为止,我可以使用RSA创建私钥/公钥对,然后使用一些代码将公钥编码为PEM格式的密钥,参考这里的代码Golang : Generate DSA private, public key and PEM files example,现在我不知道如何使用LoadX509KeyPair创建证书。我不知道如何获取第二个参数的值,它需要以字节形式的keyPemBlock,但RSA私钥不是以字节形式存在的。

我想问一下,是否有更好的方法可以使用RSA创建证书,如果可能的话?

另外,如果我们可以使用RSA创建证书,那么根据我上面提到的不完整解决方案,我应该如何获取tls.LoadX509KeyPair的第二个参数的值?

谢谢

英文:

I am trying to create gRPC connection with mutual tls following the instruction on this blog Secure gRPC with TLS/SSL, but i don't want to create the certificate and save it to a file on the disk, I want the service itself to create its keys, then the certificate authority key will be taken somewhere else (I am planning using the google pki as the ca).

What i did so far I can create the private/public key pair using rsa, then encode the public key to pem key following some code here Golang : Generate DSA private, public key and PEM files example now i am stock on how to create the certificate using the LoadX509KeyPair. I don't know where to get the value for the second parameter, it needs keyPemBlock in bytes, but the RSA private key is not on bytes.

I would like to ask, is there a much more better way to create a certificate using the RSA, if it is possible?

And also if we can create a certificate using RSA; using the incomplete solution of mine above, where i can get the value for the second parameter of the tls.LoadX509KeyPair?

Thank you

答案1

得分: 10

如果你想生成自己的证书和私钥,你需要进行以下步骤:

  1. 生成私钥:
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
    log.Fatal("无法创建私钥。", err.Error())
}

// 生成带有私钥的pem块
keyPem := pem.EncodeToMemory(&pem.Block{
    Type:  "RSA PRIVATE KEY",
    Bytes: x509.MarshalPKCS1PrivateKey(key),
})
  1. 生成证书:
tml := x509.Certificate{
    // 可以添加任何你需要的属性
    NotBefore:    time.Now(),
    NotAfter:     time.Now().AddDate(5, 0, 0),
    // 每次执行都需要生成一个不同的序列号
    SerialNumber: big.NewInt(123123),
    Subject: pkix.Name{
        CommonName:   "新名称",
        Organization: []string{"新组织"},
    },
    BasicConstraintsValid: true,
}
cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
if err != nil {
    log.Fatal("无法创建证书。", err.Error())
}

// 生成带有证书的pem块
certPem := pem.EncodeToMemory(&pem.Block{
    Type:  "CERTIFICATE",
    Bytes: cert,
})
  1. 加载证书/私钥对:
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
    log.Fatal("无法加载证书。", err.Error())
}
  1. tlsCert 用于你想要的任何操作,例如:
l, err := tls.Listen("tcp", ":8080", &tls.Config{
    Certificates: []tls.Certificate{tlsCert},
})
英文:

If you want to generate your own certificate and private key, you have to do:

1.- Generate private key:

<!-- language: Go -->

key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
	log.Fatal(&quot;Private key cannot be created.&quot;, err.Error())
}

// Generate a pem block with the private key
keyPem := pem.EncodeToMemory(&amp;pem.Block{
	Type:  &quot;RSA PRIVATE KEY&quot;,
	Bytes: x509.MarshalPKCS1PrivateKey(key),
})

2.- Generate the certificate:

<!-- language: Go -->

tml := x509.Certificate{
    // you can add any attr that you need
	NotBefore:    time.Now(),
	NotAfter:     time.Now().AddDate(5, 0, 0),
    // you have to generate a different serial number each execution
	SerialNumber: big.NewInt(123123),
	Subject: pkix.Name{
		CommonName:   &quot;New Name&quot;,
		Organization: []string{&quot;New Org.&quot;},
	},
	BasicConstraintsValid: true,
}
cert, err := x509.CreateCertificate(rand.Reader, &amp;tml, &amp;tml, &amp;key.PublicKey, key)
if err != nil {
	log.Fatal(&quot;Certificate cannot be created.&quot;, err.Error())
}

// Generate a pem block with the certificate
certPem := pem.EncodeToMemory(&amp;pem.Block{
	Type:  &quot;CERTIFICATE&quot;,
	Bytes: cert,
})

3.- Load certificate/private key pair:

<!-- language: go -->

tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
	log.Fatal(&quot;Cannot be loaded the certificate.&quot;, err.Error())
}

4.- Use the tlsCert for whatever you want, ex:

<!-- language: go -->

l, err := tls.Listen(&quot;tcp&quot;, &quot;:8080&quot;, &amp;tls.Config{
	Certificates: []tls.Certificate{tlsCert},
})

huangapple
  • 本文由 发表于 2017年5月7日 00:42:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/43822945.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定