Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you build a tls.Certficate chain in Go?

Tags:

ssl

go

I'm trying to configure a TLS server to return a Certificate chain on connection.

I want to create a tls.Config, with a Certificate chain :

    // Certificates contains one or more certificate chains
    // to present to the other side of the connection.
    // Server configurations must include at least one certificate
    // or else set GetCertificate.
    Certificates []Certificate

Assuming my chain is root -> inter -> server, I can load each certificate independently, and use a list, but only serverCert is sent to the SSL client.

I'm doing something along the lines of :

root, err := tls.LoadX509KeyPair("root.crt", "root.key")
inter, err := tls.LoadX509KeyPair("inter.crt", "inter.key")
server, err := tls.LoadX509KeyPair("server.crt", "server.key")

config := tls.Config{
   Certificates : []tls.Certificates{root, inter, server}
}
config.BuildNameFromCertificates()

Am I missing something obvious ? Does the order matter ?

like image 562
phtrivier Avatar asked Dec 01 '16 15:12

phtrivier


1 Answers

your server.crt file can contain the entire chain [plus you don't want your server to have the inter or root keys], in server.crt you can have

-----BEGIN CERTIFICATE-----
[server cert]
-----END CERT-----
 ----BEGIN CERTIFICATE-----
[inter cert]
-----END CERT-----

The root cert shouldn't be in the chain served from the server, just the server + intermediate[s].

like image 76
superfell Avatar answered Sep 30 '22 03:09

superfell