I've had a successful TLS mutual authentication client/server setup in Go for a while, but now looking to make some small tweaks.
Specifically, I'm wondering if there is a way to require only a specific client certificate for mutual auth.
I'm currently using something like this:
// Load cert and build pool
caCert, _ := ioutil.ReadFile(caPath)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Require client authentication
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
Which works fine, however if the PEM file I'm reading in is actually a certificate chain (A issued by B, and B is a root CA), this will actually end up trusting any certificate issued by B, which I don't want.
Is there any way I can tweak this code to ONLY trust the specific A certificate?
It seems that if I only include A in the loaded PEM file, the server handshake code tells the client "send me all your certs signed by A", which of course is not what I want, as cert A is not signed by A.
Ideally I'd want to say "you require specifically certificate A" to connect successfully. Is there such a mechanism?
