I wrote a small test program that creates
Get "https://localhost:2000": x509: certificate signed by unknown authority (possibly because of "x509: Ed25519 verification failure" while trying to verify candidate authority certificate "test-ca")
I understand that there are dozens of examples of this. I thought I was following them pretty close, and yet here I am. I am showing here only the most relevant structures but the full text of the program can be found here:
...
templateCA := &x509.Certificate{
Subject: pkix.Name{
CommonName: "test-ca",
Organization: []string{"test ca"},
Country: []string{"USA"},
Province: []string{"NY"},
Locality: []string{"New York City"},
},
SerialNumber: serialNumber,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(0, 0, 1),
BasicConstraintsValid: true,
IsCA: true,
SubjectKeyId: caSubjectKeyID[:],
DNSNames: []string{"test-ca"},
KeyUsage: x509.KeyUsageCertSign
}
...
certBytes, _ := x509.CreateCertificate(rand.Reader, templateCA, templateCA, privKey.Public(), privKey)
...
templateServer := &x509.Certificate{
Subject: pkix.Name{
CommonName: "localhost",
Organization: []string{"Server"},
Country: []string{"USA"},
Province: []string{"NY"},
Locality: []string{"New York City"},
},
SerialNumber: serialNumber,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(0, 0, 1),
BasicConstraintsValid: true,
SubjectKeyId: servSubjectKeyID[:],
AuthorityKeyId: caSubjectKeyID[:],
DNSNames: []string{"localhost"},
IPAddresses: []net.IP{{127, 0, 0, 1}},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
}
...
certBytes, _ = x509.CreateCertificate(rand.Reader, templateServer, caCert, privKey.Public(), privKey)
...
var (
tlsMinVersion = uint16(tls.VersionTLS12)
tlsMaxVersion = uint16(tls.VersionTLS13)
cipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
curvePreferences = []tls.CurveID{
tls.X25519,
tls.CurveP256,
tls.CurveP384,
tls.CurveP521,
}
)
...
tlsServerConfig := &tls.Config{
Certificates: []tls.Certificate{*tlsSrvCert},
MinVersion: tlsMinVersion,
MaxVersion: tlsMaxVersion,
CurvePreferences: curvePreferences,
CipherSuites: cipherSuites,
PreferServerCipherSuites: true,
}
...
tlsClientConfig := &tls.Config{
ServerName: "localhost",
RootCAs: x509.NewCertPool(),
MinVersion: tlsMinVersion,
MaxVersion: tlsMaxVersion,
CurvePreferences: curvePreferences,
CipherSuites: cipherSuites,
PreferServerCipherSuites: true,
}
tlsClientConfig.RootCAs.AddCert(caCert)
What am I missing or doing wrong?
You can use private key to decrypt data and to encrypt hashed data to create a digital signature.
You can use public key to encrypt data and decrypt a digital signature to verify it.
what you need to do here, is to use one key pair (public/private key) to generate CA certificate and use that certificate + same key pair to generate one or multiple certificates for you server(s).
In case you want to use a browser / curl as your client, you need to add CA certificate in the root keystores.