25 Dec 2021 go实现https认证

2023-10-17 10:32:22 浏览数 (1)

创建ca

代码语言:javascript复制
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=SX/L=XA/O=RedHat, Inc./CN=RedHat Root CA" -out ca.crt

创建user1的证书

代码语言:javascript复制
$ openssl req -newkey rsa:2048 -nodes -keyout user1.key -subj "/C=CN/ST=GD/L=SZ/O=RedHat, Inc./CN=*.user1.com" -out user1.csr
$ openssl x509 -req -extfile <(printf "subjectAltName=DNS:user1.com,DNS:www.user1.com") -days 365 -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt

同样方式创建user2的证书

代码语言:javascript复制
$ openssl req -newkey rsa:2048 -nodes -keyout user2.key -subj "/C=CN/ST=GD/L=SZ/O=RedHat, Inc./CN=*.user2.com" -out user2.csr
$ openssl x509 -req -extfile <(printf "subjectAltName=DNS:user2.com,DNS:www.user2.com") -days 365 -in user2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user2.crt
$ ls ca*
ca.crt ca.key ca.srl
$ ls user1*
user1-server.go user1.crt       user1.csr       user1.key
$ ls user2*
user2-client.go user2.crt       user2.csr       user2.key

使用创建的证书实现https(tls)单向认证

user1作为server端,user2作为client端,即client端需要验证server端证书。

代码语言:javascript复制
$ go run user1-server.go
# 在另外一个终端访问user1-server
$ go run user2-client.go
I am user1

使用创建的证书实现https(mtls)双向认证

client和server端双向认证。

代码语言:javascript复制
$ go run user1-dual-server.go
# 在另外一个终端访问user1-server
$ go run user2-dual-client.go
I am user1

所有相关代码和证书:https://github.com/songleo/songleo.github.io/tree/main/src/https

ref

  • https://zhaohuabing.com/post/2020-03-19-pki/
  • https://tonybai.com/2015/04/30/go-and-https/

LEo at 00:12

0 人点赞