README
¶
selfsignedcertgen
Generate self signed certificates for use in a Golang web server.
You can generate a new TLS private key and sign it with a self-signed certificate authority with a simple one-liner:
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/C=US/ST=OR/L=Portland/O=test/OU=example/CN=www.example.com"
Unfortunately this requires openssl to be installed and some pre-launch execution for a containerized application.
This library will generate the equivalent key and certificate files in Go at runtime to allow a TLS server to start. It is implemented using RSA keys for simplicity and current compatibility requirements.
Note on security
If possible, you should never use self-signed certificates. These days it is pretty easy to use Let's Encrypt and there are a number of Go libraries that will autoprovision an TLS certificate using the Let's Encrypt api. If possible you should use one of those and not self-signed certificates. Self-signed certificates often create a number of security problems that leave you open to a lower level of security than using plain old HTTP. Avoid them if possible. Remember that you need chrome://flags/#allow-insecure-localhost enabled to hit insecure HTTPS on localhost now.
Temporary Files
This code uses the TempFile mechansism to store key files. If /tmp does not exist in your environment, ensure TMPDIR is set in the environment to a directory that does exist.
Example
package main
import (
"fmt"
"log"
"net/http"
"time"
"github.com/joshrivers/selfsignedcertgen"
)
func hello(w http.ResponseWriter, req *http.Request) {
fmt.Fprintf(w, "hello\n")
}
func main() {
fmt.Print("Listening for [https://localhost:8443/hello](https://localhost:8443/hello)\n")
http.HandleFunc("/hello", hello)
signer := selfsignedcertgen.NewSelfSigner()
signer.Hosts = []string{"www.example.net", "replica.example.net"}
signer.Country = "US"
signer.Locality = "Los Angeles"
signer.Organization = "Tyrell Corporation"
signer.OrganizationUnit = "Nexus Design"
signer.RsaKeyBits = 4096
signer.ValidFor = 10 * 365 * 24 * time.Hour
keyLocations := signer.GenerateKeyAndCertificate()
err := http.ListenAndServeTLS("localhost:8443", keyLocations.CertPath, keyLocations.KeyPath, nil)
if err != nil {
log.Fatalf("Failed to start server with error: %v", err)
}
}
Documentation
¶
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KeyLocations ¶
type KeyLocations struct {
KeyPath string // path to the generated pem-encoded RSA key
CertPath string // path to the self-signed x509 certificate
}
Return value of the GenerateKeyAndCertificate function containing the path to the generated key and certificate files.
type SelfSigner ¶
type SelfSigner struct {
Country string
Hosts []string // first host will be used as CN, all hosts will be added as SAN
Locality string
Organization string
OrganizationUnit string
RsaKeyBits int // default: 2048
ValidFor time.Duration // duraation after ValidFrom the certificate will be valid
ValidFrom time.Time // earliest date for certificate validity
}
Struct containing parameters for key and certificate generation
func NewSelfSigner ¶
func NewSelfSigner() *SelfSigner
Create a new SelfSigner struct with dummy values
Example ¶
package main
import (
"net/http"
"github.com/joshrivers/selfsignedcertgen"
)
func main() {
keyLocations := selfsignedcertgen.NewSelfSigner().GenerateKeyAndCertificate()
http.ListenAndServeTLS(":443", keyLocations.CertPath, keyLocations.KeyPath, nil)
}
Output:
func (SelfSigner) GenerateKeyAndCertificate ¶
func (ss SelfSigner) GenerateKeyAndCertificate() KeyLocations
Generates a key and certificate from SelfSigner spec and stores them in temporary files. Returns a struct containing the path to the generated temporary files.
Source Files
Directories