lclcrtmngr
所属分类:CA认证
开发工具:GO
文件大小:0KB
下载次数:0
上传日期:2023-12-10 12:50:31
上 传 者:
sh-1993
说明: 本地证书管理器服务器
(Local certificate manager server)
文件列表:
cmd/
example/
internal/certmanager/
pkg/certwatcher/
LICENSE
Makefile
build.sh
go.mod
# Local Certificate Manager
This is a simple tool to manage local certificates for development purposes.
The main server app is **lclcrtmngr** inside bin folder. For building just run `make` inside root folder.
## Usage
For certmanager usage just run `lclcrtmngr -h` to see the help.
For web server application just create CertificateWatcher and start it. For details see `example/main.go`.
## Example Go App
An example Go app is inside `example` folder. It uses the `lclcrtmngr` to generate a certificate and key for the server and a certificate for the client. The client certificate is used to authenticate the client to the server. You can just run `bin/examplesrv`.
## Theory of Operation
During TLS handshake, when first message, ClientHelloInfo, arrives at server, the server can choose a valid certificate to send to the client. Hence we can use this to send an ephiremal server certificate which has short life. Also with a timer server can change its certificate periodically.
lclcrtmngr uses this to generate a new certificate and key pair for the server and send it to the server. The server can use this certificate to send to the client. The client can verify the certificate using the CA certificate.
At first run, lclcrtmngr generates a CA certificate and key pair. This is used to sign the server certificate. Just add this CA certificate to your browser or OS trust store, or only for your application's TLS config. For next calls/runs lclcrtmngr uses this CA certificate and key.
For generating server certificate, create ECDSA key and a CertificateRequest with the key. Send this tolclcrtmngr. lclcrtmngr will generate a certificate and send it back. The server can use this certificate as TLS certificate. The client can verify the certificate using the CA certificate. lclcrtmngr's end point is `/get-cert`. For request use `application/x-pem-certificate-request` as content type, response's content type is `application/x-pem-file`. Use SubjectAlternativeNames with domain and ip address during certificate request creation.
近期下载者:
相关文件:
收藏者: