Package pkcs12 allows a user to read in a PKCS12 file and return a private key and public certificates that can be used in both TLS services. The official PKCS12 library is not the friendliest when you have more than 1 public key for the purpose of checking the certificates signing by intermediates and the root CA. This uses a vendored version of the golang.org/x/crypto/pkcs12 package, as the original cannot accurately decode a Microsoft pkcs12 due to unsupported OIDs, some of which do not have any documentation I can find. These changes are actually based on https://go-review.googlesource.com/c/crypto/+/166520 that has been pending for a review and not the current checked in code.
Usage Note: skipVerify == true makes the assumtion that the first public cert found is the site certificate. While that seems to be the defacto standard, I did not find a reference that says this is always the case.
Note: I haven't tried to push these OID changes up into the repo. I am not an expert on TLS and some of these OIDs are mysterious in nature. I ignore these attributes as they aren't necessary for Go's purpose of serving content or validating certificate signatures. Some are related to OSCP and allowed usages. I do not understand these enough to implement (I can see these have entries in x509.Certificate struct). Some of the Microsoft ones don't have any documentation I can find online.
Note2: There aren't tests here. I've only tested this with certificates I cannot store here and I will need to duplicate this with some throw away certs or bring up a CA in my test code to do the generation. This is more involved than I can deal with right now. Your mileage may vary, as I ain't Brad Fitzpatrick.
func FromFile(filePath string, password string, skipVerify bool) (crypto.PrivateKey, *x509.Certificate, tls.Certificate, error)
FromFile opens a PKCS12 file at filePath with password and returns the PrivateKey, public certificates and a ready made tls.Certificate.
PEMFilesToTLS takes in a private key and certificates in tow files generated by WritePEMFiles() and returns a TLS certificate to use in your service.
WriteFromFileToPEM writes PEM encoded key and certificate from a PCKS12 file. The certificates are concatenated together. You can use PEMFilesToTLS to read these into a TLS certificate for use. This is useful when you don't want to use the PKCS12 archive in your secret storage and would prefer PEM encoded data. The certPath will store all certificate (minues private key) in the archive, useful for certificate validation with intermediate and root CA public keys.