GOLANG app and their certificates?

How to make echo web application, and to create local certificates?

Know that using crypto/x509, I just can't find working examples.

PS: regarding golang.org/x/crypto/acme/autocert leave for yourself to study in the future, as I understood that it generates certificates using the well-known service letsencrypt.org for issuing free certificates.
June 7th 19 at 14:27
2 answers
June 7th 19 at 14:29
Solution
If everything is done according to the standard Feng Shui, it is no different from the ordinary OpenSSL tutorials then and there:

0. If not ready Certificate Authority (CA), it is generated new: ecdsa.GenerateKey() + x509.CreateCertificate() (self-signed).

1. The generated private key PK (Private Key) for your certificate: ecdsa.GenerateKey().

2. Generis the request to create the certificate CSR (Certificate Signing Request): x509.CreateCertificateRequest(). As a CN (Common Name) specify the address at which we will knock to the application. If these addresses assume multiple, we use the SAN extension in the certificate template.

3. Take CA and issued himself a certificate for the generated CSR: x509.CreateCertificate().

4. Use the certificate for TLS: http.ServeTLS().

Private key and certificate (and your, and CA) are stored in any desired directory in the file system. The right to private keys thus exhibited 0600. If this is the case all the time, and it is possible a temporary directory (os.TempDir()), so as not to litter.

If it's just to play and not supposed to be planning the PKI (Public Key Infrastructure), it is possible and not to bathe with the CA/CSR, and immediately to release the self-signed certificate with the desired CN/SAN. That is, there is only zero step.

If we have the app paritsya in the external world is not "naked" and covered with some proxy server (e.g. Nginx) that, in principle, there is even a recommended practice, the certificate can connect to our host right there, and leave the application without TLS. In this case Nginx will decrypt the traffic and in-app push already unencrypted traffic. This is called the TLS termination.
If we want a proxy server and our app continued to go encrypted traffic, then the proxy server in the settings need to feed our CA certificate or disable checking of CA.


PS In the future, urged to formulate your questions more specific and less vague. The more information You provide about what You require, the less time you will need to meet to get information and understand what You need. And, as a consequence, the quicker You will get your answer.

Treat with respect not only to his own time, but also to others. - erwin_Rodrigu commented on June 7th 19 at 14:32
thank you for your comprehensive answer. - Leonard_Wintheiser28 commented on June 7th 19 at 14:35
June 7th 19 at 14:31
Solution
I will answer myself.

Implemented in this project:
github.com/josvazg/webca

Find more questions by tags Go