英文:
golang, can i create X509KeyPair using rsa key?
问题
我正在尝试按照这篇博客Secure gRPC with TLS/SSL上的指示创建带有双向TLS的gRPC连接,但我不想创建证书并将其保存到磁盘上的文件中,我希望服务本身创建其密钥,然后证书颁发机构的密钥将在其他地方获取(我计划使用Google PKI作为CA)。
到目前为止,我可以使用RSA创建私钥/公钥对,然后使用一些代码将公钥编码为PEM格式的密钥,参考这里的代码Golang : Generate DSA private, public key and PEM files example,现在我不知道如何使用LoadX509KeyPair创建证书。我不知道如何获取第二个参数的值,它需要以字节形式的keyPemBlock,但RSA私钥不是以字节形式存在的。
我想问一下,是否有更好的方法可以使用RSA创建证书,如果可能的话?
另外,如果我们可以使用RSA创建证书,那么根据我上面提到的不完整解决方案,我应该如何获取tls.LoadX509KeyPair的第二个参数的值?
谢谢
英文:
I am trying to create gRPC connection with mutual tls following the instruction on this blog Secure gRPC with TLS/SSL, but i don't want to create the certificate and save it to a file on the disk, I want the service itself to create its keys, then the certificate authority key will be taken somewhere else (I am planning using the google pki as the ca).
What i did so far I can create the private/public key pair using rsa, then encode the public key to pem key following some code here Golang : Generate DSA private, public key and PEM files example now i am stock on how to create the certificate using the LoadX509KeyPair. I don't know where to get the value for the second parameter, it needs keyPemBlock in bytes, but the RSA private key is not on bytes.
I would like to ask, is there a much more better way to create a certificate using the RSA, if it is possible?
And also if we can create a certificate using RSA; using the incomplete solution of mine above, where i can get the value for the second parameter of the tls.LoadX509KeyPair?
Thank you
答案1
得分: 10
如果你想生成自己的证书和私钥,你需要进行以下步骤:
- 生成私钥:
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal("无法创建私钥。", err.Error())
}
// 生成带有私钥的pem块
keyPem := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
- 生成证书:
tml := x509.Certificate{
// 可以添加任何你需要的属性
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(5, 0, 0),
// 每次执行都需要生成一个不同的序列号
SerialNumber: big.NewInt(123123),
Subject: pkix.Name{
CommonName: "新名称",
Organization: []string{"新组织"},
},
BasicConstraintsValid: true,
}
cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
if err != nil {
log.Fatal("无法创建证书。", err.Error())
}
// 生成带有证书的pem块
certPem := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert,
})
- 加载证书/私钥对:
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
log.Fatal("无法加载证书。", err.Error())
}
- 将
tlsCert用于你想要的任何操作,例如:
l, err := tls.Listen("tcp", ":8080", &tls.Config{
Certificates: []tls.Certificate{tlsCert},
})
英文:
If you want to generate your own certificate and private key, you have to do:
1.- Generate private key:
<!-- language: Go -->
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal("Private key cannot be created.", err.Error())
}
// Generate a pem block with the private key
keyPem := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
2.- Generate the certificate:
<!-- language: Go -->
tml := x509.Certificate{
// you can add any attr that you need
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(5, 0, 0),
// you have to generate a different serial number each execution
SerialNumber: big.NewInt(123123),
Subject: pkix.Name{
CommonName: "New Name",
Organization: []string{"New Org."},
},
BasicConstraintsValid: true,
}
cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
if err != nil {
log.Fatal("Certificate cannot be created.", err.Error())
}
// Generate a pem block with the certificate
certPem := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert,
})
3.- Load certificate/private key pair:
<!-- language: go -->
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
log.Fatal("Cannot be loaded the certificate.", err.Error())
}
4.- Use the tlsCert for whatever you want, ex:
<!-- language: go -->
l, err := tls.Listen("tcp", ":8080", &tls.Config{
Certificates: []tls.Certificate{tlsCert},
})
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论