Golang 创建证书
Overview
In this article we’ll cover creating and signing x509 Certificates in Golang. This exercise can be a helpful reference if you’re writing integration tests for web services which should test HTTPS functionality, or otherwise working on certificate handling code.
Create a Certificate Authority
In this article we’ll create and manage our own Certificate Authority (CA) locally to keep the examples here simple. Working with CAs locally will help prepare you for working with other public certificate authorities later.
Let’s get started by creating a CA which will be used to sign all of our certificates using the x509 package from the Go Standard Library:
ca := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"Company, INC."},
Country: []string{"US"},
Province: []string{""},
Locality: []string{"San Francisco"},
StreetAddress: []string{"Golden Gate Bridge"},
PostalCode: []string{"94016"},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
Note that the field IsCA is set to true above indicating this certificate is a CA certificate.
We’ll generate a private key for the CA:
caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return err
}
And create the certificate:
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
if err != nil {
return err
}
We’ll PEM Encode our certificate and private key for signing other certificates in upcoming steps:
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: caBytes,
})
caPrivKeyPEM := new(bytes.Buffer)
pem.Encode(caPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
})
Now we’re ready to use this CA.
Generate & Signing a Certificate
The next exercise is to create a certificate which our CA will sign:
cert := &x509.Certificate{
SerialNumber: big.NewInt(1658),
Subject: pkix.Name{
Organization: []string{"Company, INC."},
Country: []string{"US"},
Province: []string{""},
Locality: []string{"San Francisco"},
StreetAddress: []string{"Golden Gate Bridge"},
PostalCode: []string{"94016"},
},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
SubjectKeyId: []byte{1, 2, 3, 4, 6},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
}
Note that in the above example the certificate we’ve created contains:
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
This option will make our certificate valid over localhost for local network testing.
Create a private key for the certificate:
certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return err
}
Sign the certificate with the previously created CA:
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
if err != nil {
return err
}
PEM Encode the certificate:
certPEM := new(bytes.Buffer)
pem.Encode(certPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
certPrivKeyPEM := new(bytes.Buffer)
pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
})
At this point the certificate is ready to be deployed on a local HTTPS server.
WebServer Configuration
Now that we have a certificate to use (and a CA which has signed it to ensure trust from the client to the server) we’ll deploy our new certificate to a webserver provided by the httptest package.
Start by creating a Key Pair which will be used for the server configuration:
serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
if err != nil {
return nil, nil, err
}
And a CertPool to house our certificate for client connections:
certpool := x509.NewCertPool()
certpool.AppendCertsFromPEM(caPEM.Bytes())
Next we’ll create a tls.Config which will be provided to our server:
serverTLSConf = &tls.Config{
Certificates: []tls.Certificate{serverCert},
}
Finally, start the httptest.Server:
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "success!")
}))
server.TLS = serverTLSConf
server.StartTLS()
defer server.Close()
Now we’re ready to connect to our server.
Connecting to the Server
Now that we know how to start the server it’s time to test the connection to it. We’ll use the standard client from the net/http package.
We’ll start by creating the tls.Config needed for the client to communicate properly with the server using our certificate:
clientTLSConf = &tls.Config{
RootCAs: certpool,
}
We’ll define an http.Transport and create the http.Client:
transport := &http.Transport{
TLSClientConfig: clientTLSConf,
}
http := http.Client{
Transport: transport,
}
Finally we’ll make a GET request to the server:
resp, err := http.Get(server.URL)
if err != nil {
panic(err)
}
When it’s working properly the http.Request body contains success!
Demo Program
In the above sections we worked through the individual steps that build up to implementation in complete applications, but if you’re looking for a working example of all these pieces put together see this demo program available on GitHub:
package main
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"io/ioutil"
"math/big"
"net"
"net/http"
"net/http/httptest"
"strings"
"time"
)
func main() {
// get our ca and server certificate
serverTLSConf, clientTLSConf, err := certSetup()
if err != nil {
panic(err)
}
// set up the httptest.Server using our certificate signed by our CA
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "success!")
}))
server.TLS = serverTLSConf
server.StartTLS()
defer server.Close()
// communicate with the server using an http.Client configured to trust our CA
transport := &http.Transport{
TLSClientConfig: clientTLSConf,
}
http := http.Client{
Transport: transport,
}
resp, err := http.Get(server.URL)
if err != nil {
panic(err)
}
// verify the response
respBodyBytes, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
body := strings.TrimSpace(string(respBodyBytes[:]))
if body == "success!" {
fmt.Println(body)
} else {
panic("not successful!")
}
}
func certSetup() (serverTLSConf *tls.Config, clientTLSConf *tls.Config, err error) {
// set up our CA certificate
ca := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"Company, INC."},
Country: []string{"US"},
Province: []string{""},
Locality: []string{"San Francisco"},
StreetAddress: []string{"Golden Gate Bridge"},
PostalCode: []string{"94016"},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
// create our private and public key
caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, nil, err
}
// create the CA
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, nil, err
}
// pem encode
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: caBytes,
})
caPrivKeyPEM := new(bytes.Buffer)
pem.Encode(caPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
})
// set up our server certificate
cert := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"Company, INC."},
Country: []string{"US"},
Province: []string{""},
Locality: []string{"San Francisco"},
StreetAddress: []string{"Golden Gate Bridge"},
PostalCode: []string{"94016"},
},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
SubjectKeyId: []byte{1, 2, 3, 4, 6},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
}
certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, nil, err
}
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, nil, err
}
certPEM := new(bytes.Buffer)
pem.Encode(certPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
certPrivKeyPEM := new(bytes.Buffer)
pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
})
serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
if err != nil {
return nil, nil, err
}
serverTLSConf = &tls.Config{
Certificates: []tls.Certificate{serverCert},
}
certpool := x509.NewCertPool()
certpool.AppendCertsFromPEM(caPEM.Bytes())
clientTLSConf = &tls.Config{
RootCAs: certpool,
}
return
}
Happy coding!
转载:https://medium.com/@shaneutt/create-sign-x509-certificates-in-golang-8ac4ae49f903
温馨提示:反馈需要登录
