doucaigai7176 2019-09-18 14:57
浏览 430
已采纳

如何创建证书链

I'm working on a proxy server for automating browser integration tests. I've gotten to a place where I can create a root CA cert and then my self signed cert.

However, where I'm failing is "joining" these together into a valid certificate chain that is then served. I feel like I'm missing something very trivial as the CA is created correctly and the self signed cert is being signed by the CA however the certificate chain never shows the CA when viewing the generated certificate within a browser.

I realize this is somewhat a cryptic question, but let me know how I can make this more clear.

Thanks everyone!

func Server(cn net.Conn, p ServerParam) *ServerConn {
    conf := new(tls.Config)
    if p.TLSConfig != nil {
        *conf = *p.TLSConfig
    }
    sc := new(ServerConn)
    // this is the CA certificate that is performing the signing and I had though would show as the "root" certificate in the chain
    conf.RootCAs = buildBoolFromCA(p.CA)
    conf.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
        sc.ServerName = hello.ServerName
        // the self signed cert that is generated (the root CA however is not part of the chain
        return getCert(p.CA, hello.ServerName)
    }
    sc.Conn = tls.Server(cn, conf)
    return sc
}

To reduce the size of this post I created a small gist here to show where I'm generating the CA and the self signed certificate: https://gist.github.com/jredl-va/d5df26877fc85095115731d98ea5ff33

Update 1 Added get cert to gist

  • 写回答

1条回答 默认 最新

  • du548397507 2019-09-18 15:39
    关注

    Go doesn't magically include the CA certificate in the TLS handshake. If you expected RootCAs to cause that, you are mistaken. It is irrelevant for servers:

    RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

    You can either change GenerateCert to return the whole chain:

    --- cert.go.orig        2019-09-18 17:35:29.408807334 +0200
+++ cert.go     2019-09-18 17:35:45.028779955 +0200
@@ -46,11 +46,11 @@
        x, err := x509.CreateCertificate(rand.Reader, template, ca.Leaf, key.Public(), ca.PrivateKey)
        if err != nil {
                return nil, err
        }
        cert := new(tls.Certificate)
-       cert.Certificate = append(cert.Certificate, x)
+       cert.Certificate = append(cert.Certificate, x, ca.Leaf.Raw)
        cert.PrivateKey = key
        cert.Leaf, _ = x509.ParseCertificate(x)
        return cert, nil
 }

    ... or make getCert append the CA cert in a similar fashion:

    --- cert.go.orig        2019-09-18 18:07:45.924405370 +0200
+++ cert.go     2019-09-18 18:08:11.998359456 +0200
@@ -61,7 +61,8 @@
 func getCert(ca *tls.Certificate, host string) (*tls.Certificate, error) {
        cert, err := GenerateCert(ca, host)
        if err != nil {
                return nil, err
        }
+       cert.Certificate = append(cert.Certificate, ca.Leaf.Raw)
        return cert, nil
 }
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 链接问题 C++LNK2001 无法解析的外部符号
  • ¥50 安装pyaudiokits失败
  • ¥15 计组这些题应该咋做呀
  • ¥60 更换迈创SOL6M4AE卡的时候,驱动要重新装才能使用,怎么解决?
  • ¥15 让node服务器有自动加载文件的功能
  • ¥15 jmeter脚本回放有的是对的有的是错的
  • ¥15 r语言蛋白组学相关问题
  • ¥15 Python时间序列如何拟合疏系数模型
  • ¥15 求学软件的前人们指明方向🥺
  • ¥50 如何增强飞上天的树莓派的热点信号强度,以使得笔记本可以在地面实现远程桌面连接