I have a question regarding x509 verify function
according to this example, https://golang.org/src/crypto/x509/example_test.go
const rootPEM = `-----BEGIN CERTIFICATE-----
too long... skipped
-----END CERTIFICATE-----`
const certPEM = `-----BEGIN CERTIFICATE-----
too long... skipped
-----END CERTIFICATE-----`
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
panic("failed to parse root certificate")
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
panic("failed to parse certificate PEM")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
panic("failed to parse certificate: " + err.Error())
}
opts := x509.VerifyOptions{
DNSName: "mail.google.com",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil {
panic("failed to verify certificate: " + err.Error())
}
we can verify a client certificate using the root cert from the CA who has signed it. But I'm assuming this example is using a self-signed cert since it need to provide the root cert that I generated in order to recognize the certificate.
But what if the client certificate is signed by a public certificate authority like Godaddy or Symantec?
Do I still need to provide the root cert into the NewCertPool in advance? or this library will act like the browser, which already installed the root cert in the beginning and you don't have to import or do anything. If not, then can I import all the root cert from public CA at once? or I have to import them one by one manually?
Thank you so much for the patience reading my questions, any answers or suggestions are much appreciated!