Here's a script that helps you generate self signed certificates. It will generate both a root certificate and a leaf.
(The TLS certificates generated by crypto/tls/generate_cert.go
act both as a
CA and as a leaf certificate. Some TLS clients have a problem with that scheme.)
This script modifies crypto/tls/generate_cert.go
slightly:
-
A leaf certificate and a root certificate are generated.
-
the only supported key type is ecdsa P256.
-
Better usage instructions are generated.
Credit comes from Adam Langley, who provided the initial version of this script on a golang-nuts message thread.
go get github.com/kevinburke/generate-tls-cert
Running generate-tls-cert
will give you nine files. Three of them are the
most important:
-
root.pem
: The public key of the root CA. Add this as a CA in clients to connect to your self-signed server (see "Client" below). -
leaf.key
andleaf.pem
- The public and private key for terminating TLS with your self signed certificate.
$ generate-tls-cert --host=localhost,127.0.0.1
Successfully generated certificates! Here's what you generated.
# Root CA
root.key
The private key for the root Certificate Authority. Keep this private.
root.pem
The public key for the root Certificate Authority. Clients should load the
certificate in this file to connect to the server.
root.debug.crt
Debug information about the generated certificate.
# Leaf Certificate - Use these to serve TLS traffic.
leaf.key
Private key (PEM-encoded) for terminating TLS traffic on the server.
leaf.pem
Public key for terminating TLS traffic on the server.
leaf.debug.crt
Debug information about the generated certificate
# Client Certificate - You probably don't need these.
client.key: Secret key for TLS client authentication
client.pem: Public key for TLS client authentication
Add the following instructions to your Makefile, and all your users will have to
do to get started is run make generate_cert
to download the binary and load
TLS certificates.
GENERATE_TLS_CERT = $(GOPATH)/bin/generate-tls-cert
$(GENERATE_TLS_CERT):
go get -u github.com/kevinburke/generate-tls-cert
certs/leaf.pem: | $(GENERATE_TLS_CERT)
mkdir -p certs
cd certs && $(GENERATE_TLS_CERT) --host=localhost,127.0.0.1
# Generate TLS certificates for local development.
generate_cert: certs/leaf.pem | $(GENERATE_TLS_CERT)
Here's how to make requests that validate, using your new TLS certificates.
rootPEM, err := ioutil.ReadFile("path/to/root.pem")
if err != nil {
log.Fatal(err)
}
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM(rootPEM)
if !ok {
panic("failed to parse root certificate")
}
// Use the tls.Config here in http.Transport.TLSClientConfig
conn, err := tls.Dial("tcp", "yourhost:yourport", &tls.Config{
RootCAs: roots,
})
if err != nil {
panic("failed to connect: " + err.Error())
}
conn.Close()
var fs = require('fs');
var https = require('https');
var get = https.request({
path: '/', hostname: 'yourhost', port: yourport,
ca: fs.readFileSync('path/to/root.pem'),
agent: false,
rejectUnauthorized: true,
}, function(response) {
response.on('data', (d) => {
process.stdout.write(d);
});
});
get.on('error', function(e) {
console.error(e)
console.error("error", e)
console.error("error", JSON.stringify(e))
});
get.end();
curl --cacert path/to/root.pem https://yourhost:yourport
import requests
r = requests.get("https://yourhost:yourport", verify='root.pem')
print(r.status_code)
openssl s_client -showcerts -servername localhost -CAfile path/to/root.pem -connect yourhost:yourport
Here's how to integrate the generated certificates into different server architectures.
Start the Go server with the leaf public and private keys.
http.ListenAndServeTLS(":7252", "leaf.pem", "leaf.key", nil)
Start a Node server with the leaf public and private keys.
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('leaf.key'),
cert: fs.readFileSync('leaf.pem'),
};
https.createServer(options, (req, res) => {
res.writeHead(200);
res.end('hello world\n');
}).listen(8000);
Add the following stanza to your nginx.conf
file.
ssl on;
ssl_certificate /path/to/leaf.pem;
ssl_certificate_key /path/to/leaf.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers "FIND UP TO DATE LIST OF CIPHERS";
ssl_prefer_server_ciphers on;