PKI infrastructure

Question

How to establish simply chain using golang .x509 package? Let say I need self-signed CA certificate and certificate for server issued by CA. When I use

x509.CreateCertificate(rand.Reader, &issuer, &issuer, publicKeyIssuer, privateKeyIssuer)

then

x509.CreateCertificate(rand.Reader, &subject, &issuer, publicKeySubject, privateKeyIssuer)

it doesn't work. Certificate is created and when server sends it to a browser the browser doesn't see path from server to ca.

If I use openssl and create certificate request for server and then certificate then it's all good

openssl req -key server.key -new -out server.req -sha256
openssl x509 -req -in server.req -CA ca.crt -CAkey ca.key -out server.crt

I know that there is x509.CreateCertificateReuest but I don't now how to link request with creating of certificate? What I am doing wrong or may be don't now much about x509.CreateCertificate?

Answer 1

What I had to know before ask question http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf

DN names (Subject in CA certificate and Issuer in server certificate) must be the same. But DN names of subject and issuer must no be equal. DN's make up the link between Issuer and Subject.

In my case I used only O=Organization filed in

ca := x509.Certificate{
    Subject: pkix.Name{
                Organization: []string{"O"},
            }
}
server := x509.Certificate{
    Subject: pkix.Name{
                Organization: []string{"O"},
            }
}

DN's are the same for the issuer and for the subject.That is why browser can't find path. It is simply to add more info to pkix, for example, CommonName. It will make the DN unique.

ca := x509.Certificate{
    Subject: pkix.Name{
                CommonName:   []string{"CA"},
                Organization: []string{"XUnit"},
            }
}
server := x509.Certificate{
    Subject: pkix.Name{
                CommonName:   []string{"server"},
                Organization: []string{"XUnit"},
            }
}