Skip to content

spgyip/self-signed-certificate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
cmd/httpsrv
cmd/httpsrv
 
 
conf
conf
 
 
sbin
sbin
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Self-signed certificate

Test with openssl

make help

Create certificates

make ca
make certs

Run test

Open terminal, run a server.

make runs

Open the other terminal, run test clients. See the Makefile for testcases.

make runc-no-verify        # Succ
make runc-verify-no-ca     # Fail
make runc-verify-host-err  # Fail
make runc-verify-succ      # Succ

Test mTLS

make runs-verify

make runc-verify-succ   # Fail
make runc-with-cert     $ Succ

httpsrv

See cmd/httpsrv/. Build with make bin.

HTTP

./bin/httpsrv server -insecure

./bin/httpsrv client -url http://localhost:4433/hello

HTTPS

./bin/httpsrv server -cert pki/certs/server/test-server.pem -key pki/certs/server/test-server-key.pem

./bin/httpsrv client -cacert pki/CA_test/cacert.pem

HTTPS skip verify

./bin/httpsrv server -cert pki/certs/server/test-server.pem -key pki/certs/server/test-server-key.pem

./bin/httpsrv client -insecure

mTLS

The mutual TLS will verify certificate on both side, thus, the client side must provide client certificate and key.

./bin/httpsrv server -cert pki/certs/server/test-server.pem -key pki/certs/server/test-server-key.pem -verify -cacert pki/CA_test/cacert.pem

./bin/httpsrv client -cacert pki/CA_test/cacert.pem -cert pki/certs/client/test-client.pem -key pki/certs/client/test-client-key.pem

AutoTLS

AutoTLS is a convenient way to use TLS as encrypted transport, without managing complicated CA/certificate jobs. This is done by creating temeperary certificate on server side, and the client side skip server certificate verification.

./bin/httpsrv server -auto-tll

./bin/httpsrv client -insecure

TODO

  • In httpsrv, how to verify client certificate hostname.
  • Build Go tool to generate ca, certificate for future reuse.
  • The directory TODO/ is a standalone program, integrate it with this project.
    • Solved: Integerate into httpsrv.
  • Add DNS(localhost) in SANs to certificates, to allow client visit https://localhost:4433/.
    • Stuck in problem: When adds SANs to certificates, the ssl client won't use CN to match hostname??
    • Solved: According to RFC6215, if SANs extention does exist, match SANs, else match subject CN.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages