golang,我可以使用rsa键创建X509KeyPair吗?

我正在尝试按照此Blog 使用TLS / SSL保护gRPC ,但是我不想创建证书和 将其保存到磁盘上的文件中,我希望服务本身创建其密钥,然后将证书颁发机构密钥用于其他地方(我计划使用google pki作为ca)。</ p>

到目前为止,我可以使用rsa创建私钥/公钥对,然后按照此处的一些代码将公钥编码为pem密钥 Golang:生成DSA私钥,公钥和PEM文件的例子,现在我知道如何创建DSA 使用 LoadX509KeyPair 。 我不知道从哪里获取第二个参数的值,它需要keyPemBlock以字节为单位,但是RSA私钥不在字节上。</ p>

我想问一下,是否有 如果可以的话,还有一种使用RSA创建证书的更好的方法吗?</ p>

并且我们是否可以使用RSA创建证书? 使用上面的我的不完整解决方案,我可以在其中获取 tls.LoadX509KeyPair </ code>的第二个参数的值吗?</ p>

谢谢</ p>
</ DIV>

展开原文

原文

I am trying to create gRPC connection with mutual tls following the instruction on this blog Secure gRPC with TLS/SSL, but i don't want to create the certificate and save it to a file on the disk, I want the service itself to create its keys, then the certificate authority key will be taken somewhere else (I am planning using the google pki as the ca).

What i did so far I can create the private/public key pair using rsa, then encode the public key to pem key following some code here Golang : Generate DSA private, public key and PEM files example now i am stock on how to create the certificate using the LoadX509KeyPair. I don't know where to get the value for the second parameter, it needs keyPemBlock in bytes, but the RSA private key is not on bytes.

I would like to ask, is there a much more better way to create a certificate using the RSA, if it is possible?

And also if we can create a certificate using RSA; using the incomplete solution of mine above, where i can get the value for the second parameter of the tls.LoadX509KeyPair?

Thank you

1个回答

If you want to generate your own certificate and private key, you have to do:

1.- Generate private key:

key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
    log.Fatal("Private key cannot be created.", err.Error())
}

// Generate a pem block with the private key
keyPem := pem.EncodeToMemory(&pem.Block{
    Type:  "RSA PRIVATE KEY",
    Bytes: x509.MarshalPKCS1PrivateKey(key),
})

2.- Generate the certificate:

tml := x509.Certificate{
    // you can add any attr that you need
    NotBefore:    time.Now(),
    NotAfter:     time.Now().AddDate(5, 0, 0),
    // you have to generate a different serial number each execution
    SerialNumber: big.NewInt(123123),
    Subject: pkix.Name{
        CommonName:   "New Name",
        Organization: []string{"New Org."},
    },
    BasicConstraintsValid: true,
}
cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
if err != nil {
    log.Fatal("Certificate cannot be created.", err.Error())
}

// Generate a pem block with the certificate
certPem := pem.EncodeToMemory(&pem.Block{
    Type:  "CERTIFICATE",
    Bytes: cert,
})

3.- Load certificate/private key pair:

tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
    log.Fatal("Cannot be loaded the certificate.", err.Error())
}

4.- Use the tlsCert for whatever you want, ex:

l, err := tls.Listen("tcp", ":8080", &tls.Config{
    Certificates: []tls.Certificate{tlsCert},
})
douyanxing6054
douyanxing6054 非常感谢,我迟到了几分钟才发布自己的解决方案。 我的解决方案与您非常相似。 作为参考,我只是在golang.org/src/crypto/tls/generate_cert.go中进行了挖掘,这也是一个很好的示例,并且我的解决方案基于该链接。
3 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐