
Go client and server for mutual auth with TLS certificates.

Primary LanguageGo

CA infrastructure

This is an example of using TLS Client Authentication with certificates.


We use the cfssl Suite to generate and configure certificates.

Also, make sure that apiserver.go resolves to by e.g. adding it to /etc/hosts.

Create certificate infrastructure

Create the CA

Step 1 is to set up your CA infrastructure. First, create the CA:

$ cd certs
$ ./01-generate-root-ca.sh
2018/10/11 11:40:17 [INFO] generating a new CA key and certificate from CSR
2018/10/11 11:40:17 [INFO] generate received request
2018/10/11 11:40:17 [INFO] received CSR
2018/10/11 11:40:17 [INFO] generating key: rsa-2048
2018/10/11 11:40:17 [INFO] encoded CSR
2018/10/11 11:40:17 [INFO] signed certificate with serial number 123123123123...
$ ls ca/
ca-config.json	ca-csr.json	ca-key.pem	ca.csr		ca.pem

The ca/ca-key.pem file is the private key while ca/ca.pem is the public key file for your CA.

Create the server certificate

Step 2 is to create a public key pair for the server-side:

$ ./02-generate-server-cert.sh
2018/10/11 11:42:05 [INFO] generate received request
2018/10/11 11:42:05 [INFO] received CSR
2018/10/11 11:42:05 [INFO] generating key: rsa-2048
2018/10/11 11:42:05 [INFO] encoded CSR
2018/10/11 11:42:05 [INFO] signed certificate with serial number 123123...
$ ls servers
apiserver-csr.json	apiserver-key.pem	apiserver.csr		apiserver.pem

Now we have a certificate for apiserver.go. Again, servers/apiserver-key.pem holds the private key while servers/apiserver.pem holds the public key.

Create the client certificates

Step 3 creates client certificates. You might need as many as there are users calling the server. Here's how to set up a client with the common name of admin@alt-f4.de:

$ ./03-generate-client-cert.sh
2018/10/11 11:44:52 [INFO] generate received request
2018/10/11 11:44:52 [INFO] received CSR
2018/10/11 11:44:52 [INFO] generating key: rsa-2048
2018/10/11 11:44:52 [INFO] encoded CSR
2018/10/11 11:44:52 [INFO] signed certificate with serial number 123123123...
$ ls clients
admin@alt-f4.de-csr.json	admin@alt-f4.de-key.pem	admin@alt-f4.de.csr		admin@alt-f4.de.pem

Starting the server

The server is configured to use tls.VerifyClientCertIfGiven by default, meaning: You can give me a certificate and if you do, I'll verify it. If you don't, I'll proceed the request anyway. You can change that in server/main.go.

Build and run the server:

$ make server start-server
go build -o srv ./server/...
./srv -addr=:10443 -ca=./certs/ca/ca.pem -key=./certs/servers/apiserver-key.pem -cert=./certs/servers/apiserver.pem
2018/10/11 11:50:08 Serving TLS at [::]:10443

Starting the client

To run the client, do:

$ make client start-client
go build -o cli ./client/...
./cli -ca=./certs/ca/ca.pem -key=./certs/clients/admin@alt-f4.de-key.pem -cert=./certs/clients/admin@alt-f4.de.pem https://apiserver.go:10443
Authenticated as admin@alt-f4.de

To see what happens if you don't specify a valid certificate, do:

$ curl -k -I https://apiserver.go:10443
HTTP/2 401
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
content-length: 35
date: Thu, 11 Oct 2018 09:52:42 GMT


Copyright (c) 2021 Oliver Eilhard. All rights reserved.