-
Notifications
You must be signed in to change notification settings - Fork 0
/
certs.go
50 lines (44 loc) · 1.34 KB
/
certs.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package mqttx
import (
"crypto/tls"
"crypto/x509"
"os"
)
// NewTLSConfig 创建TLS配置
func NewTLSConfig(cafile, clientCertFile, clientKeyFile string) (*tls.Config, error) {
// Import trusted certificates from CAfile.pem(cafile).
// Alternatively, manually add CA certificates to
// default openssl CA bundle.
certpool := x509.NewCertPool()
pemCerts, err := os.ReadFile(cafile)
if err == nil {
certpool.AppendCertsFromPEM(pemCerts)
}
// Import client certificate/key pair
cert, err := tls.LoadX509KeyPair(clientCertFile, clientKeyFile)
if err != nil {
return nil, err
}
// Just to print out the client certificate..
cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return nil, err
}
// Create tls.Config with desired tls properties
tlsConfig := &tls.Config{
// RootCAs = certs used to verify server cert.
RootCAs: certpool,
// ClientAuth = whether to request cert from server.
// Since the server is set up for SSL, this happens
// anyways.
ClientAuth: tls.NoClientCert,
// ClientCAs = certs used to validate client cert.
ClientCAs: nil,
// InsecureSkipVerify = verify that cert contents
// match server. IP matches what is in cert etc.
InsecureSkipVerify: false,
// Certificates = list of certs client sends to server.
Certificates: []tls.Certificate{cert},
}
return tlsConfig, nil
}