This is a basic implementation of ssl client certificate authentication without certification authority (CA).
The purpose here is to behave like an SSH key authentication
We authorize self signed .crt on server side.
First generate server certs, used for ssl transport
$ ./genssl.sh serverThen generate a client cert
$ mkdir authorizedkeys
$ ./genssl.sh authorizedkeys/clientRun the server
$ go run server.go -bind :4242 -key server.key -cert server.crt -clients ./authorizedkeys
2016/11/28 14:52:07 Loaded 1 certificate(s)
2016/11/28 14:52:07 listen :4242Call using curl
curl -v --insecure --key authorizedkeys/client.key --cert authorizedkeys/client.crt \
https://localhost:4242/helloYou can generate a new client cert outside authorizedkeys directory to try an unauthorized one.
On MacOS X, since Mavericks, ssl certs are managed by Apple keychain. See https://curl.haxx.se/mail/archive-2014-10/0053.html
Most of this code was inspired by lxd works on the matter https://github.com/lxc/lxd