我写了一个小测试程序来创建自定义的自签名 CA 证书#1创建由该 CA 颁发的服务器证书#2 - 根证书#1创建带有证书#2 的服务器创建一个 RootCA 指向证书#1 的客户端客户端尝试连接到服务器并收到错误:获取 "https://localhost:2000": x509: certificate signed by unknown authority(可能是因为 "x509: Ed25519 验证失败" 同时尝试验证候选权威证书 "test-ca")我知道有很多这样的例子。我以为我跟他们很近,但我在这里。我在这里只展示最相关的结构,但程序的全文可以在这里找到: ... templateCA := &x509.Certificate{ Subject: pkix.Name{ CommonName: "test-ca", Organization: []string{"test ca"}, Country: []string{"USA"}, Province: []string{"NY"}, Locality: []string{"New York City"}, }, SerialNumber: serialNumber, NotBefore: time.Now(), NotAfter: time.Now().AddDate(0, 0, 1), BasicConstraintsValid: true, IsCA: true, SubjectKeyId: caSubjectKeyID[:], DNSNames: []string{"test-ca"}, KeyUsage: x509.KeyUsageCertSign }我错过了什么或做错了什么?
2 回答
红颜莎娜
TA贡献1842条经验 获得超13个赞
您可以使用私钥解密数据并加密散列数据以创建数字签名。
您可以使用公钥加密数据并解密数字签名来验证它。
您需要在这里做的是使用一个密钥对(公钥/私钥)生成 CA 证书,并使用该证书 + 相同的密钥对为您的服务器生成一个或多个证书。
如果您想使用浏览器/curl 作为客户端,则需要在根密钥库中添加 CA 证书。
明月笑刀无情
TA贡献1828条经验 获得超4个赞
我从上面粘贴了更正的代码片段。希望有一天,他们可以帮助某人。
...
templateCA := &x509.Certificate{
Subject: pkix.Name{
CommonName: "test-ca",
Organization: []string{"test ca"},
Country: []string{"USA"},
Province: []string{"NY"},
Locality: []string{"New York City"},
},
SerialNumber: serialNumber,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(0, 0, 1),
BasicConstraintsValid: true,
IsCA: true,
KeyUsage: x509.KeyUsageCertSign
DNSNames: []string{"test-ca"},
}
...
certBytes, _ := x509.CreateCertificate(rand.Reader, templateCA, templateCA, privKeyCA.Public(), privKeyCA)
...
templateServer := &x509.Certificate{
Subject: pkix.Name{
CommonName: "localhost",
Organization: []string{"Server"},
Country: []string{"USA"},
Province: []string{"NY"},
Locality: []string{"New York City"},
},
SerialNumber: serialNumber,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(0, 0, 1),
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
DNSNames: []string{"localhost"},
}
...
certBytes, _ = x509.CreateCertificate(rand.Reader, templateServer, caCert, privKeyServer.Public(), privKeyCA)
...
var (
tlsMinVersion = uint16(tls.VersionTLS12)
tlsMaxVersion = uint16(tls.VersionTLS13)
cipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
curvePreferences = []tls.CurveID{
tls.X25519,
tls.CurveP256,
tls.CurveP384,
tls.CurveP521,
}
)
...
tlsServerConfig := &tls.Config{
Certificates: []tls.Certificate{*tlsSrvCert},
MinVersion: tlsMinVersion,
MaxVersion: tlsMaxVersion,
CurvePreferences: curvePreferences,
CipherSuites: cipherSuites,
PreferServerCipherSuites: true,
}
...
tlsClientConfig := &tls.Config{
ServerName: "localhost",
RootCAs: x509.NewCertPool(),
MinVersion: tlsMinVersion,
MaxVersion: tlsMaxVersion,
CurvePreferences: curvePreferences,
CipherSuites: cipherSuites,
PreferServerCipherSuites: true,
}
tlsClientConfig.RootCAs.AddCert(caCert)
- 2 回答
- 0 关注
- 146 浏览
添加回答
举报
0/150
提交
取消