Reputation: 8393
How to create a certificate chain
I'm working on a proxy server for automating browser integration tests. I've gotten to a place where I can create a root CA cert and then my self signed cert.
However, where I'm failing is "joining" these together into a valid certificate chain that is then served. I feel like I'm missing something very trivial as the CA is created correctly and the self signed cert is being signed by the CA however the certificate chain never shows the CA when viewing the generated certificate within a browser.
I realize this is somewhat a cryptic question, but let me know how I can make this more clear.
Thanks everyone!
func Server(cn net.Conn, p ServerParam) *ServerConn {
conf := new(tls.Config)
if p.TLSConfig != nil {
*conf = *p.TLSConfig
}
sc := new(ServerConn)
// this is the CA certificate that is performing the signing and I had though would show as the "root" certificate in the chain
conf.RootCAs = buildBoolFromCA(p.CA)
conf.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
sc.ServerName = hello.ServerName
// the self signed cert that is generated (the root CA however is not part of the chain
return getCert(p.CA, hello.ServerName)
}
sc.Conn = tls.Server(cn, conf)
return sc
}
To reduce the size of this post I created a small gist here to show where I'm generating the CA and the self signed certificate: https://gist.github.com/jredl-va/d5df26877fc85095115731d98ea5ff33
Update 1 Added get cert to gist
Upvotes: 2
Views: 1010
Answers (1)
Reputation: 31751
Go doesn't magically include the CA certificate in the TLS handshake. If you expected RootCAs to cause that, you are mistaken. It is irrelevant for servers:
RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.
You can either change GenerateCert to return the whole chain:
--- cert.go.orig 2019-09-18 17:35:29.408807334 +0200
+++ cert.go 2019-09-18 17:35:45.028779955 +0200
@@ -46,11 +46,11 @@
x, err := x509.CreateCertificate(rand.Reader, template, ca.Leaf, key.Public(), ca.PrivateKey)
if err != nil {
return nil, err
}
cert := new(tls.Certificate)
- cert.Certificate = append(cert.Certificate, x)
+ cert.Certificate = append(cert.Certificate, x, ca.Leaf.Raw)
cert.PrivateKey = key
cert.Leaf, _ = x509.ParseCertificate(x)
return cert, nil
}
... or make getCert append the CA cert in a similar fashion:
--- cert.go.orig 2019-09-18 18:07:45.924405370 +0200
+++ cert.go 2019-09-18 18:08:11.998359456 +0200
@@ -61,7 +61,8 @@
func getCert(ca *tls.Certificate, host string) (*tls.Certificate, error) {
cert, err := GenerateCert(ca, host)
if err != nil {
return nil, err
}
+ cert.Certificate = append(cert.Certificate, ca.Leaf.Raw)
return cert, nil
}
Upvotes: 2
Related Questions
- How to proxy https requests using Go, http requests work fine?
- How to do a https request with proxy
- How to set up an https server with a self-signed certificate in golang
- How to do proxy and TLS in golang
- How to use a self-signed certificate through proxy server client
- http to https proxy in go
- How do you build a tls.Certficate chain in Go?
- Proxy golang https
- How to create a tls client with ca certificates in GO?
- SSL with GoLang using reverse proxy Nginx