So for a long while i have been trying to create a chain of trust in golang.
I used this code to create the certificate https://golang.org/src/crypto/tls/generate_cert.go
But if i set the isCA to false the certificate file in the browser will be empty and my browser will display an error saying: SEC_ERROR_UNKNOWN_ISSUER. How can i specify where it should check the certificate?
I looked at alot of examples but still don’t really understand how it should work. I tried using my own generated server CA and pasted a random intermediate CA under it but it doesn’t know where to check. I know it will deny the certificate, but i’m just trying to understand how the chain works in golang. I don’t know how to use a chain certificate in golang should i use the issuer in template or subject or aren’t those important etc. Does anyone have a example or could point me in the right direction? Thanks.
This is what i am trying to achieve (doesn’t matter if the rootCA is self signed it’s just for testing purposes)
Certificates, to actually work and be secure, are signed with each other in a chain. Thus, the root applies its private key on a child certificate to sign it.
The roots are usually distributed with your operating system and managed by Certificate Authorities.
You have two ways:
Create a self-signed certificate. This is a certificate that is signed by itself. As it is the first and second link of the chain (so to speak), it must be set as a “isCA” (that is, it is a root certificate). Browsers will still complain that the certificate is self-signed and thus invalid.
Generate a non-root (isCA=false) certificate. Afterwards you have to send you certificate to a Certificate Authority that will sign it and send it back with a signature. Usually this last step requires you to pay something.
Luckily, it can also be free and automated using something like “acme” from Let’s Encrypt.
What do you want to achieve? What do you need the certificate for?
Notice that you cannot generate Let’s Encrypt certificates for “internal” domains. Only public sites can be authorized.
