openssl证书生成
1. 生成普通证书
$ openssl genrsa -out server.key 2048
$ openssl req -new -x509 -days 3650 -subj "/C=GB/L=China/O=grcp-server/CN=server.grpc.io" -key server.key -out server.crt
$ openssl genrsa -out client.key 2048
$ openssl req -new -x509 -days 3650 -subj "/C=GB/L=China/O=grpc-client/CN=client.grpc.io" -key client.key -out client.crt
2. 生成CA证书
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -days 3650 -subj "/C=GB/L=China/O=gobook/CN=github.com" -key ca.key -out ca.crt
3. 生成CA证书后对服务器端证书进行签名
$ openssl req -new -subj "/C=GB/L=China/O=server/CN=server.io" -key server.key -out server.csr
$ openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.crt
4. 用CA证书对客户端证书签名:
$ openssl req -new -subj "/C=GB/L=China/O=client/CN=client.io" -key client.key -out client.csr
$ openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.crt
5. golang服务端CA认证
certificate, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err!=nil{
log.Fatal(err)
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile("ca.crt")
if err!=nil{
log.Fatal(err)
}
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Fatal("failed to append certs")
}
creds := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{certificate},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: certPool,
})
6. golang客户端CA认证
certificate, err := tls.LoadX509KeyPair("client.crt", "client.key")
if err!=nil{
log.Fatal(err)
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile("ca.crt")
if err!=nil{
log.Fatal(err)
}
if ok := certPool.AppendCertsFromPEM(ca); !ok{
log.Fatal("failed to append ca certs")
}
creds := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{certificate},
ServerName: "server.io",
RootCAs: certPool,
})