I'm trying to establish a TLS connection with the use of a self signed server certificate.
I generated the certificate with this example code: http://golang.org/src/pkg/crypto/tls/generate_cert.go
My relevant client code looks like that:
// server cert is self signed -> server_cert == ca_cert CA_Pool := x509.NewCertPool() severCert, err := ioutil.ReadFile("./cert.pem") if err != nil { log.Fatal("Could not load server certificate!") } CA_Pool.AppendCertsFromPEM(severCert) config := tls.Config{RootCAs: CA_Pool} conn, err := tls.Dial("tcp", "127.0.0.1:8000", &config) if err != nil { log.Fatalf("client: dial: %s", err) }
And the relevant server code like that:
cert, err := tls.LoadX509KeyPair("./cert.pem", "./key.pem") config := tls.Config{Certificates: []tls.Certificate{cert}} listener, err := tls.Listen("tcp", "127.0.0.1:8000", &config) for { conn, err := listener.Accept() if err != nil { log.Printf("server: accept: %s", err) break } log.Printf("server: accepted from %s", conn.RemoteAddr()) go handleConnection(conn) }
Because the server certificate is self signed is use the same certificate for the server and the clients CA_Pool however this does not seem to work since i always get this error:
client: dial: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "serial:0")
What's my mistake?
If you want to secure your website with an SSL/TLS certificate, you can use a free self-signed SSL/TLS certificate.
Compromised self-signed certificates can pose many security challenges, since attackers can spoof the identity of the victim. Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.
By having a self-signed certificate you are effectively on your own, without the backing of a trusted certificate authority and application of the latest cryptographic methods necessary to ensure proper authentication and encryption of data, devices, and applications.
A self signed certificate will still encrypt the communication between the client (browser) and your server.
It finally worked with the go built in x509.CreateCertificate, the problem was that I did not set the IsCA:true flag, I only set the x509.KeyUsageCertSign which made creating the self signed certificate work, but crashed while verifying the cert chain.
The problem is that you need a CA certificate in the server-side config, and this CA must have signed the server's certificate.
I have written some Go code that will generate a CA certificate, but it hasn't been reviewed by anyone and is mostly a toy for playing around with client certs. The safest bet is probably to use openssl ca
to generate and sign the certificate. The basic steps will be:
tls.Config
RootCAs
tls.Config
with the Server key and signed certificate.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With