get system root cert pool
1,953 views
Skip to first unread message
mcel...@gmail.com
Aug 24, 2015, 5:02:04 PM8/24/15
to golang-nuts
I would like to be able to get a copy of the system root cert pool so that I can append my own cert. (I am trying to instantiate an http.Client that trusts my CA as well as the default ones.) Is there a way to do this without duplicating the code in crypto/x509/root_*.go? Is there a reason that func systemRootsPool in crypto/x509/root.go is not exported? Thanks!
Giulio Iotti
Aug 24, 2015, 5:12:49 PM8/24/15
to golang-nuts
On Tuesday, August 25, 2015 at 12:02:04 AM UTC+3, mcel...@gmail.com wrote:
I would like to be able to get a copy of the system root cert pool so that I can append my own cert. (I am trying to instantiate an http.Client that trusts my CA as well as the default ones.) Is there a way to do this without duplicating the code in crypto/x509/root_*.go? Is there a reason that func systemRootsPool in crypto/x509/root.go is not exported? Thanks!
What you are trying to do has nothing to do with Go. Each operating system has its own way to do what you want (add a certificate as a root CA, am I correct?)
For example, on Linux (Debian/Ubuntu): https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate
Alternatively, if you only want to test stuff, disable certificate check in the client while developing.
--
Giulio Iotti
joe.b...@coreos.com
Feb 8, 2016, 4:36:32 PM2/8/16
to golang-nuts
(sorry for resurrecting a zombie post...)
However, I don't know if example.com above will use the specialRoot cert or some other system root. What I'd really like to do is
// Now example.com can either use a cert from the OS, *or* my special cert
I'm in the same boat as mcel - what I'd like to do add a new root CA inside of a single Golang process - *not* install it on the OS. Then I'd like to have a connection work with either my new, internal-to-the-process CA, or some other well known system CA. I can get halfway there with
const specialRoot = `
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----`
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(specialRoot))
if !ok {
panic("failed to parse root certificate")
}
// Here example.com *must* use my special root cert, or the connection fails.
conn, err := tls.Dial("tcp", "example.com:443", &tls.Config{
RootCAs: roots,
})
However, I don't know if example.com above will use the specialRoot cert or some other system root. What I'd really like to do is
roots := x509.NewCertPool()
roots.AppendAllFromPool(systemRootsPool) // <<-- NOT REAL GO
ok := roots.AppendCertsFromPEM([]byte(specialRoot))
// Now example.com can either use a cert from the OS, *or* my special cert
conn, err := tls.Dial("tcp", "example.com:443", &tls.Config{
RootCAs: roots,
})
Is there more correct way of doing that? Or is there something particularly wrongheaded about wanting to do it in the first place?
Brad Fitzpatrick
Feb 8, 2016, 6:43:05 PM2/8/16
to joe.b...@coreos.com, golang-nuts
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages