dsfsdfsd34324 2017-05-06 16:42
浏览 233
已采纳

golang,我可以使用rsa键创建X509KeyPair吗?

I am trying to create gRPC connection with mutual tls following the instruction on this blog Secure gRPC with TLS/SSL, but i don't want to create the certificate and save it to a file on the disk, I want the service itself to create its keys, then the certificate authority key will be taken somewhere else (I am planning using the google pki as the ca).

What i did so far I can create the private/public key pair using rsa, then encode the public key to pem key following some code here Golang : Generate DSA private, public key and PEM files example now i am stock on how to create the certificate using the LoadX509KeyPair. I don't know where to get the value for the second parameter, it needs keyPemBlock in bytes, but the RSA private key is not on bytes.

I would like to ask, is there a much more better way to create a certificate using the RSA, if it is possible?

And also if we can create a certificate using RSA; using the incomplete solution of mine above, where i can get the value for the second parameter of the tls.LoadX509KeyPair?

Thank you

  • 写回答

1条回答 默认 最新

  • duanjing2013 2017-05-07 05:37
    关注

    If you want to generate your own certificate and private key, you have to do:

    1.- Generate private key:

    key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
    log.Fatal("Private key cannot be created.", err.Error())
}

// Generate a pem block with the private key
keyPem := pem.EncodeToMemory(&pem.Block{
    Type:  "RSA PRIVATE KEY",
    Bytes: x509.MarshalPKCS1PrivateKey(key),
})

    2.- Generate the certificate:

    tml := x509.Certificate{
    // you can add any attr that you need
    NotBefore:    time.Now(),
    NotAfter:     time.Now().AddDate(5, 0, 0),
    // you have to generate a different serial number each execution
    SerialNumber: big.NewInt(123123),
    Subject: pkix.Name{
        CommonName:   "New Name",
        Organization: []string{"New Org."},
    },
    BasicConstraintsValid: true,
}
cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
if err != nil {
    log.Fatal("Certificate cannot be created.", err.Error())
}

// Generate a pem block with the certificate
certPem := pem.EncodeToMemory(&pem.Block{
    Type:  "CERTIFICATE",
    Bytes: cert,
})

    3.- Load certificate/private key pair:

    tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
    log.Fatal("Cannot be loaded the certificate.", err.Error())
}

    4.- Use the tlsCert for whatever you want, ex:

    l, err := tls.Listen("tcp", ":8080", &tls.Config{
    Certificates: []tls.Certificate{tlsCert},
})
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 永磁型步进电机PID算法
  • ¥15 sqlite 附加(attach database)加密数据库时,返回26是什么原因呢?
  • ¥88 找成都本地经验丰富懂小程序开发的技术大咖
  • ¥15 如何处理复杂数据表格的除法运算
  • ¥15 如何用stc8h1k08的片子做485数据透传的功能?(关键词-串口)
  • ¥15 有兄弟姐妹会用word插图功能制作类似citespace的图片吗?
  • ¥200 uniapp长期运行卡死问题解决
  • ¥15 latex怎么处理论文引理引用参考文献
  • ¥15 请教:如何用postman调用本地虚拟机区块链接上的合约?
  • ¥15 为什么使用javacv转封装rtsp为rtmp时出现如下问题:[h264 @ 000000004faf7500]no frame?