>

字数 614 阅读 12 评论 6

Generating CA and key pairs are quite often required in setting up HTTPS connection when we developing web applications, before we go into details let’s review the steps on
the general steps to generate CA and key pairs:

  1. Generate a CA Certificate
  2. Generate a Server key
  3. Sign the Server key with the CA certificate
  4. Add the CA Certificate to the client’s tls.Config RootCAs
  5. Set up the server’s tls.Config with the Server key and signed certificate.

There is a good source.

Although we can use openssl to generate certificates and key pair files, Go provides a generate_cert.go to facilitates the process.

The use of generate_cert.go to generate the cert files are extremely easy, we can simple follow the below process

$ export GOBIN=$GOPATH/bin
$ cd $GOROOT/src/crypto/tls
$ go install generate_cert.go

Now we should have an executable generate_cert in $GOPATH/bin path, since $GOPATH is already in system environment PATH, we can directy execute it to generate the files we need.

Generate CA

$ generate_cert --host="localhost_vbox:10.0.2.15" --ca=true

This command should generate two files: "cert.pem" and "key.pem" in current directory, these files are called self-signed certificates, which means that you can use them to encrypt the traffic to and from your server, but a browser will not trust the connection out of the box.

We can also execute $ go run generate_cert.go --host="localhost_vbox:10.0.2.15" --ca=true directly.

Be noticed that if these two files already existed, they will be overwritten.

Cautions
Use this library for testing purposes only, e.g. to experiment with the built-in Go HTTPS server. Do NOT use in production!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
package main

import (
    "fmt"
    "log"
    "net/http"
)

func handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hi there!")
}

func main() {
    http.HandleFunc("/", handler)
    log.Fatal(http.ListenAndServeTLS(":8081", "cert.pem", "key.pem", nil))
}

Besides, we can use EasyCert to generate these files, it calls openssl internally and the files it generates should includes a CA root cer file, a Server cer file, a Server key file, etc.

Usage: EasyCert [options]
Options:
-cn Certificate Authority Name (can be any name, but should reflect your company name.)
-h Hostname of TLS server to install the private cert/key

e.g. 

$ go get github.com/deckarep/EasyCert
$ EasyCert -cn vbox_os -h localvb:10.0.2.15
2016/11/20 20:06:52 *** Operation Completed Succesfully ***
2016/11/20 20:06:52 Private root certificate created:  myCA.cer
2016/11/20 20:06:52 Web server certificate created:  mycert1.cer
2016/11/20 20:06:52 Web server key created:  mycer1.key

$ ls
myCA.cer  myCA.key  mycert1.cer  mycert1.key  mycert1.req  serial

Essential the safest way to generate and sign the ca is using openssl, check this for details.

e.g.

RSA recommendation key ≥ 2048-bit
$ openssl req -x509 -nodes -days 3650 -newkey ec:secp384r1 -keyout server.ecdsa.key -out server.ecdsa.crt

ECDSA recommendation key ≥ secp384r1
List ECDSA the supported curves (openssl ecparam -list_curves)
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt

On executing the above command, we’ll be asked to fill in some information. The most critical part is the Common Name (e.g. server FQDN or Our name) field.
If we’d like to access the server on the local machine with port 8081, we’ll have to put in the server address (e.g. myblog.com, or 127.0.0.1:8081).

Here is a bash script for generating all these files.




Reference
http://stackoverflow.com/questions/22666163/golang-tls-with-selfsigned-certificate