TLS身份验证：每个证书需要包含哪些内容？

I'm writing a config daemon.

It works like this:

accepts

GET (read)
POST (update)
PUT (create)
DELETE (delete)

methods

example:

PUT http://server1/key (body = value)

stores value under key

GET http://server1/key

returns value in response body

Now, when a PUT, POST, DELETE is made it duplicates this request and sends it to peers, so that every node has the same data and any node can be queried in case one of the nodes is unavailable. It adds a header so the nodes know that they shouldn't duplicate a request and send out to other nodes.

Ok, this works so far, but now I'd like to only allow the nodes and a WebUI to be able to transmit requests to those nodes. And here is where TLS comes into play.

As far as I understand I need a rootCA, so I can sign server and client certificates. And I'd like to have valid certificates, not "self-signed" because I would use Go and crypto/tls and it should verify the certificates.

My question is:

Which extensions or fields do each of the certificates need? I wouldn't want to re-generate the server and client certs when a new node is added to the config server pool.

I would connect by IP address, not by hostname/dnsname (to skip hostname lookups and the potential eavesdropping of a third party by assigning an IP to their own dnsname, e.g. s1.myserver.com is mine with IP 1.2.3.4 and random dude creates a DNS entry with random.dude.com 1.2.3.4, because I get a list of all nodes by doing a NS lookup of clustercfg.mydomain.com)

On each new node I'd need to create a server cert (this is me, verify that it's true)

On each new node I'd need to create a client cert (so I can authenticate that this client node is valid and is allowed to access this server node)

The question is:

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment, Certificate Sign
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    X509v3 Basic Constraints: critical
        CA:TRUE
    X509v3 Subject Alternative Name: 
        DNS:server1.myserver.com, IP Address:2a02::0:0:0:0:0:0:2, IP Address:1.2.3.4

What does a rootCA, a server certificate, a client certificate need so I'm able to do "TLS Authentication"?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doujing6436 2014-10-17 17:38
关注
You can use a normal server certificate like the ones you use in a web server for the server. Go will check that properly when you connect.

As for client certificates, here is a gist showing how to generate and use the client certificates from Go.

I've uses this code for a similar secure system of clients contacting servers.

You don't need to connect by IP address as the client will check the server's certificate matches the hostname which is an extremely good check.

Hope that helps!

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

TLS身份验证：每个证书需要包含哪些内容？
2014-10-17 14:24

回答 2 已采纳 You can use a normal server certificate like the ones you use in a web server for the server. Go
如何使Go接受用于TLS客户端身份验证的自签名证书？ ssl
2016-03-30 18:37

回答 1 已采纳 @JohnWeldon's comment led me to the solution, which is that I need to modify the client Certificat
Golang与SQL Server的连接错误-“ TLS握手失败：无法读取握手数据包：EOF” azure ssl
2019-08-05 17:38

回答 1 已采纳 I ended up fixing this without identifying the root cause. Once I tried connecting to the VM over
Fabric系列 - TLS身份验证
2023-03-21 21:50

搬砖魁首的博客所有组织(orderer组织与加入该channel的peer组织)的根证书都会被写入channel的创世块（确切的说是channel配置块）中（没配置开启TLS也会写入）, 每个组织的锚节点地址也会被写入。故要增加、删除组织，修改锚节点...
如何在golang中创建没有证书的TLS连接？ ssl
2019-04-22 05:33

回答 2 已采纳 TLS without certificates would require support for cipher suites which don't use certificates. L
[golang]是否可以编写没有证书的TLS服务器？ https
2017-02-15 22:17

回答 1 已采纳 No, as @JimB told you, TLS can't work without certificates. The reasoning is simple: TLS is all a
使用golang相互TLS身份验证信任特定客户端 ssl
2018-01-23 19:41

回答 1 已采纳 There is no mechanism to do this for you, but starting with go 1.8 you can specify your own callba
tls证书验证_相互TLS身份验证（mTLS）神秘化
2020-08-01 09:23

weixin_26722031的博客 tls证书验证A walk-through of a simplified implementation of mTLS. mTLS简化实现的演练。 First, what is TLS? 首先，什么是TLS？ Transport Layer Security (TLS), and its now-deprecated predecessor, ...
RabbitMQ TLS tls_connection：format_status / 2崩溃 erlang rabbitmq ssl
2018-04-16 14:05

回答 1 已采纳 This line: "/certificates/server_key.pem",{error,eacces} It meant that RabbitMQ had no permissi
如何验证我的TLS服务器正在加密流量？ [关闭] https ssl
2018-04-20 01:26

回答 1 已采纳 You can use a sniffer, here are two: Charles Proxy, it has a 30 day free trial period and is easy
403 Forbidden - 该页面需要客户端证书作为身份验证过程的一部分 php ssl
2017-04-25 14:03

回答 1 已采纳 The following procedure to convert the .pfx certificate to .pem solved the issue: openssl pkcs12
数字证书中记录了哪些内容？
2024-04-18 10:33

GousterCloud的博客在数字世界中，保障数据传输的安全性是极其重要的。数字证书，作为一种广泛应用的安全技术，其核心作用是确保通信双方的身份以及数据的...数字证书里面包含了哪些内容呢？让我们一起来探索这一领域的奥秘吧！️‍♂️
未捕获的CurlException：77：错误设置证书验证位置 facebook php
2013-03-01 02:12

回答 3 已采纳 I have the same error with you and this problem was solved, I just put this 2 lines Facebook::$C
SSL/TLS工作原理：密钥、证书、SSL握手
2022-09-06 16:23

Lavin_wos的博客 SSL/TLS的工作原理是通过称为X.509 证书的数字文档将网站和公司等实体的身份绑定到加密密钥对。每个密钥对由一个私钥和一个公钥组成。私钥保持安全，公钥可以通过证书广泛分发。一对中的私钥和公钥之间特殊的数学...
mTLS: TLS/CA/证书简介
2024-03-02 00:40

Saleson的博客简称英文全称中文全称CA证书颁发机构PCA私有证书颁发机构，又名私有 CASSL安全套接字层协议TLS传输层安全性协议HTTP超文本传输协议HTTPS超文本传输安全协议EV SSLEV 证书，又名扩展验证证书OV SSLOV 证书，又名组织...
没有解决我的问题, 去提问

悬赏问题

¥15 LiBeAs的带隙等于0.997eV,计算阴离子的N和P
¥15 关于#windows#的问题：怎么用WIN 11系统的电脑克隆WIN NT3.51-4.0系统的硬盘
¥15 来真人，不要ai！matlab有关常微分方程的问题求解决，
¥15 perl MISA分析p3_in脚本出错
¥15 k8s部署jupyterlab，jupyterlab保存不了文件
¥15 ubuntu虚拟机打包apk错误
¥199 rust编程架构设计的方案有偿
¥15 回答4f系统的像差计算
¥15 java如何提取出pdf里的文字？
¥100 求三轴之间相互配合画圆以及直线的算法

TLS身份验证：每个证书需要包含哪些内容？

2条回答 默认 最新

悬赏问题

2条回答默认最新