self-signed certificate
994 views
Skip to first unread message
Sonia Keys
Nov 1, 2012, 1:46:05 PM11/1/12
to golan...@googlegroups.com
I'm trying to learn about certificates and trying to get an https client to use a certificate I made with crypto/x509/generate_cert.go. My server is http://play.golang.org/p/P-frV4zd6R. Installing the cert into a browser, the browser is happy with the cert. My client program though (http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives "Get https://127.0.0.1:8080: x509: certificate signed by unknown authority." I expected that putting the certificate in Config.RootCAs would make it a known authority, but obviously not. How can I do this, or what do I need to learn next?
minux
Nov 1, 2012, 1:52:49 PM11/1/12
to Sonia Keys, golan...@googlegroups.com
On Fri, Nov 2, 2012 at 1:46 AM, Sonia Keys <soni...@gmail.com> wrote:
I'm trying to learn about certificates and trying to get an https client to use a certificate I made with crypto/x509/generate_cert.go. My server is http://play.golang.org/p/P-frV4zd6R. Installing the cert into a browser, the browser is happy with the cert. My client program though (http://play.golang.org/p/Rzx8oNuXAb) doesn't like it and gives "Get https://127.0.0.1:8080: x509: certificate signed by unknown authority." I expected that putting the certificate in Config.RootCAs would make it a known authority, but obviously not. How can I do this, or what do I need to learn next?
i think you will need a cert with basic constraint CA set to true to be usable as Config.RootCAs.
Sonia Keys
Nov 1, 2012, 1:59:26 PM11/1/12
to golan...@googlegroups.com, Sonia Keys
I wondered about that. I tried adding
BasicConstraintsValid: true,
IsCA: true,
to the template in generate_cert.go, but that didn't help.
BasicConstraintsValid: true,
IsCA: true,
to the template in generate_cert.go, but that didn't help.
Rob Lapensee
Nov 1, 2012, 2:02:11 PM11/1/12
to golan...@googlegroups.com, Sonia Keys
this is some code snipped out of a program that tells the connection to allow "Insecure",
the marked line is what I need to allow my program to connect to a self signed certificate.
import "crypto/tls"
var bodyType string = "text/xml"
var client *http.Client
var err error
var res *http.Response
config := &tls.Config{InsecureSkipVerify: true} // this line here
tr := &http.Transport{ TLSClientConfig: config }
client = &http.Client{Transport: tr}
res, err = client.Post(url, bodyType, bodyReader)
Regards,
Rob
Sonia Keys
Nov 1, 2012, 2:09:54 PM11/1/12
to golan...@googlegroups.com, Sonia Keys
Yes, InsecureSkipVerify makes the message go away, but I was looking for a way to get it to properly verfiy. Seems like there should be a way.
Sonia Keys
Nov 1, 2012, 3:12:50 PM11/1/12
to golan...@googlegroups.com, Sonia Keys, a...@google.com
That was it! Thank you. It took both KeyUsageCertSign and IsCA.
On Thursday, November 1, 2012 2:56:56 PM UTC-4, a...@google.com wrote:
On Thursday, November 1, 2012 2:56:56 PM UTC-4, a...@google.com wrote:
On Thursday, November 1, 2012 2:09:54 PM UTC-4, Sonia Keys wrote:Yes, InsecureSkipVerify makes the message go away, but I was looking for a way to get it to properly verfiy. Seems like there should be a way.
Do you have KeyUsageCertSign set?CheersAGL
Adam Langley
Nov 1, 2012, 3:19:31 PM11/1/12
to Sonia Keys, golan...@googlegroups.com
On Thu, Nov 1, 2012 at 3:12 PM, Sonia Keys <soni...@gmail.com> wrote:
> That was it! Thank you. It took both KeyUsageCertSign and IsCA.
Both are required by RFC 5280.
> That was it! Thank you. It took both KeyUsageCertSign and IsCA.
Cheers
AGL
Reply all
Reply to author
Forward
0 new messages