证书的key是可以加密保存的,我们需要进行解密加载
func MyLoadX509KeyPair(certFile, keyFile, password string) (tls.Certificate, error) {
certPEMByte, err := ioutil.ReadFile(certFile)
if err != nil {
return tls.Certificate{}, err
}
keyPEMByte, err := ioutil.ReadFile(keyFile)
if err != nil {
glog.Errorf("read %s failed! err: %s", keyFile, err)
return tls.Certificate{}, err
}
keyPEMBlock, rest := pem.Decode(keyPEMByte)
if len(rest) > 0 {
glog.Errorf("Decode key failed!")
return tls.Certificate{}, errors.Errorf("Decode key failed!")
}
if x509.IsEncryptedPEMBlock(keyPEMBlock) {
keyDePEMByte, err := x509.DecryptPEMBlock(keyPEMBlock, []byte(password))
if err != nil {
glog.Errorf("decrypt failed! %s", err)
return tls.Certificate{}, err
}
// 解析出其中的RSA 私钥
key, err := x509.ParsePKCS1PrivateKey(keyDePEMByte)
if err != nil {
glog.Errorf("ParsePKCS1PrivateKey failed! %s", err)
return tls.Certificate{}, err
}
// 编码成新的PEM 结构
keyNewPemByte := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
},
)
return tls.X509KeyPair(certPEMByte, keyNewPemByte)
} else {
return tls.X509KeyPair(certPEMByte, keyPEMByte)
}
}
证书key进行增加密码或者去掉密码的操作方式
1、检测ssl.key 密码是否正确
openssl rsa -text -noout -in server.key 命令输出: Private-Key: (2048 bit) modulus: 00:b0:fd:c2:81:60:3f:d2:dc:fe:2d:34:c6:46:1e: 08:72:c3:78:f3:4d:12:16:b9:39:3e:0b:d3:8b:e7: ...
2 . 给server.key 添加密码
openssl rsa -des -in server.key -out encrypt.key 输出: writing RSA key Enter PEM pass phrase: 密码 Verifying - Enter PEM pass phrase: 再次输入密码 encrypt.key 这个文件就是加密过的key
3. 去掉密码
encrypt.key 加密KEY nopassword.key 无加密 #openssl rsa -in encrypt.key -out nopassword.key writing RSA key Enter PEM pass phrase: 密码 Verifying - Enter PEM pass phrase: 再次输入密码