go-grpc-3双向认证

自签CA、server、client 证书并双向认证

openssl

# 生成CA证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -config ca.conf -days 5000 -out ca.crt

# 服务端证书
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config example.com.conf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000 -extensions v3_req -extfile example.com.conf

# 生成客户端证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -config example.com.conf -out client.csr
# 1、创建文件client.ext 内容：extendedKeyUsage=clientAuth
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile client.ext -out client.crt -days 5000 -extensions v3_req -extfile example.com.conf  # 必须要加-extensions v3_req -extfile example.com.conf

# 查看数字证书内容
openssl x509 -text -in client.crt -noout # 查看client.crt内容
openssl x509 -text -in server.crt -noout

# 把ca.crt，server.crt，server.key复制放到服务端
# 把ca.crt，client.crt，client.key复制放到客户端

ca.conf

# ca.conf
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
# 生成v3版本带扩展属性的证书
req_extensions = v3_req

# 设置默认域名
[ req_distinguished_name ]
# Minimum of 4 bytes are needed for common name
commonName         = www.examples.com
commonName_default = *.examples.com
commonName_max     = 64

# 设置两位国家代码
# ISO2 country code only
countryName         = China
countryName_default = CN

# 设置州 或者 省的名字
# State is optional, no minimum limit
stateOrProvinceName         = Province
stateOrProvinceName_default = Beijing

# 设置城市的名字
# City is required
localityName         = City
localityName_default = Beijing

# 设置公司或组织机构名称
# Organization is optional
organizationName         = Organization
organizationName_default = ca

# 设置部门名称
# Organization Unit is optional
organizationalUnitName         = ca
organizationalUnitName_default = ca

# 设置联系邮箱
# Email is optional
emailAddress         = Email
emailAddress_default = email@example.com

# 拓展信息配置
[ v3_req ]
#basicConstraints = CA:FALSE # 表明要签发终端证书（）
basicConstraints = CA:TRUE # 表明要签发CA证书
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

# 要配置的域名
[alt_names]
DNS.1 = www.example.com
DNS.2 = *.example.com
DNS.3 = localhost

example.com.conf

# example.com.conf
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
# 生成v3版本带扩展属性的证书
req_extensions = v3_req

# 设置默认域名
[ req_distinguished_name ]
# Minimum of 4 bytes are needed for common name
commonName         = www.example.com
commonName_default = *.example.com
commonName_max     = 64

# 设置两位国家代码
# ISO2 country code only
countryName         = China
countryName_default = CN

# 设置州 或者 省的名字
# State is optional, no minimum limit
stateOrProvinceName         = Province
stateOrProvinceName_default = Beijing

# 设置城市的名字
# City is required
localityName         = City
localityName_default = Beijing

# 设置公司或组织机构名称
# Organization is optional
organizationName         = Organization
organizationName_default = My Company

# 设置部门名称
# Organization Unit is optional
organizationalUnitName         = Department
organizationalUnitName_default = My Department

# 设置联系邮箱
# Email is optional
emailAddress         = Email
emailAddress_default = email@example.com

# 拓展信息配置
[ v3_req ]
basicConstraints = CA:FALSE # 表明要签发终端证书
#basicConstraints = CA:TRUE # 表明要签发CA证书
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

# 要配置的域名
[alt_names]
DNS.1 = www.example.com
DNS.2 = *.example.com
DNS.3 = localhost

client.ext

extendedKeyUsage=clientAuth

---

自制CA证书，自制客户端，服务端证书： https://blog.csdn.net/qq_22239675/article/details/86541088
tls.LoadX509KeyPair("cert/server.crt", "cert/server.key")；ca, _ := ioutil.ReadFile("cert/ca.crt")

生成证书参考：https://www.cnblogs.com/pzblog/p/9088286.html

---