Generate a CA certificate in Go
2,412 views
Skip to first unread message
josvazg
May 24, 2012, 10:10:19 AM5/24/12
to golan...@googlegroups.com
I wanted to generate a CA self-signed certificate by following the generate_cert.go source code sample in the Go standard library (under crypto/tls)
This is the code:
The generate and the private key are created self-signed (at least the parent and the template are the same) and the IsCA property is set to TRUE, but when I read it back IsCA is false!
Why?
gnirheg...@googlemail.com
May 24, 2012, 12:49:55 PM5/24/12
to golan...@googlegroups.com
The generate and the private key are created self-signed (at least the parent and the template are the same) and the IsCA property is set to TRUE, but when I read it back IsCA is false!Why?
IsCA is a BasicConstraint, so you have to set BasicConstraintsValid to true in the template.
josvazg
May 25, 2012, 4:05:06 AM5/25/12
to golan...@googlegroups.com
Thanks!
Yes, I didn't pay attention to the doc's comment on Certificate.BasicConstraintsValid.
Now it works.
But I have another question. This also enables the meaning of MaxPathLen.
I can't find anything about its meaning, I guess it says how many certificates and subcertificates this CA allows to be trusted. For isntance 0 means that the CA is useless? (as a CA) does 1 mean it can sign one level?
Thanks in advance,
Jose
Michael Gehring
May 26, 2012, 6:21:00 AM5/26/12
to josvazg, golan...@googlegroups.com
On Fri, May 25, 2012 at 01:05:06AM -0700, josvazg wrote:
> But I have another question. This also enables the meaning of MaxPathLen.
> I can't find anything about its meaning,
It limits how many levels of sub-CAs are allowed below this certificate.
> But I have another question. This also enables the meaning of MaxPathLen.
> I can't find anything about its meaning,
If you don't want to create sub-CAs you can leave it at 0.
For the details, see http://tools.ietf.org/html/rfc5280#section-4.2.1.9
(pathLenConstraint).
josvazg
May 28, 2012, 6:57:45 AM5/28/12
to golan...@googlegroups.com, josvazg
Thanks,
Now I am having problems with NON-ASCII characters within strings in pkix.Name, even on StreetAddress (like "C/ Araña nº 23").
The error is:
Failed to create Certificate: ASN.1 structure error: PrintableString contains invalid character
Am I not allowed to use Unicode in the Certificate Name?
Jose
josvazg
May 29, 2012, 10:58:39 AM5/29/12
to golan...@googlegroups.com, josvazg
Apart from the NON-ASCII problem on pkix.Name I now face a quite strange problem.
I tested my CA and server certificate on Firefox, installing the CA as a Certification Authority of trust. And it works perfectly with no warnings.
Whereas it does NOT work on Chrome and It does not give me an error that I can trace back to the problem. The behaviour is the same as if the CA was not installed at all as a trusted Cert. Auth.
Any test I can do to debug this?
Jose
Reply all
Reply to author
Forward
0 new messages