X.509 certificates

A Public Key Infrastructure (PKI) is a framework for a collection of public keys, along with additional information such as owner name and location, and links between them giving some sort of approval mechanism.

The principal PKI in use today is based on X.509 certificates. For example, web browsers use them to verify the identity of web sites.

An example program to generate a self-signed X.509 certificate for my web site and store it in a .cer file is

  1. /* GenX509Cert
  2.  */
  4. package main
  6. import (
  7.     "crypto/rand"
  8.     "crypto/rsa"
  9.     "crypto/x509"
  10.     "crypto/x509/pkix"
  11.     "encoding/gob"
  12.     "encoding/pem"
  13.     "fmt"
  14.     "math/big"
  15.     "os"
  16.     "time"
  17. )
  19. func main() {
  20.     random := rand.Reader
  22.     var key rsa.PrivateKey
  23.     loadKey("private.key", &key)
  25.     now := time.Now()
  26.     then := now.Add(60 * 60 * 24 * 365 * 1000 * 1000 * 1000) // one year
  27.     template := x509.Certificate{
  28.         SerialNumber: big.NewInt(1),
  29.         Subject: pkix.Name{
  30.             CommonName:   "jan.newmarch.name",
  31.             Organization: []string{"Jan Newmarch"},
  32.         },
  33.         //    NotBefore: time.Unix(now, 0).UTC(),
  34.         //    NotAfter:  time.Unix(now+60*60*24*365, 0).UTC(),
  35.         NotBefore: now,
  36.         NotAfter:  then,
  38.         SubjectKeyId: []byte{1, 2, 3, 4},
  39.         KeyUsage:     x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
  41.         BasicConstraintsValid: true,
  42.         IsCA:                  true,
  43.         DNSNames:              []string{"jan.newmarch.name", "localhost"},
  44.     }
  45.     derBytes, err := x509.CreateCertificate(random, &template,
  46.         &template, &key.PublicKey, &key)
  47.     checkError(err)
  49.     certCerFile, err := os.Create("jan.newmarch.name.cer")
  50.     checkError(err)
  51.     certCerFile.Write(derBytes)
  52.     certCerFile.Close()
  54.     certPEMFile, err := os.Create("jan.newmarch.name.pem")
  55.     checkError(err)
  56.     pem.Encode(certPEMFile, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
  57.     certPEMFile.Close()
  59.     keyPEMFile, err := os.Create("private.pem")
  60.     checkError(err)
  61.     pem.Encode(keyPEMFile, &pem.Block{Type: "RSA PRIVATE KEY",
  62.         Bytes: x509.MarshalPKCS1PrivateKey(&key)})
  63.     keyPEMFile.Close()
  64. }
  66. func loadKey(fileName string, key interface{}) {
  67.     inFile, err := os.Open(fileName)
  68.     checkError(err)
  69.     decoder := gob.NewDecoder(inFile)
  70.     err = decoder.Decode(key)
  71.     checkError(err)
  72.     inFile.Close()
  73. }
  75. func checkError(err error) {
  76.     if err != nil {
  77.         fmt.Println("Fatal error ", err.Error())
  78.         os.Exit(1)
  79.     }
  80. }

This can then be read back in by

  1. /* ReadX509Cert
  2.  */
  4. package main
  6. import (
  7.     "crypto/x509"
  8.     "fmt"
  9.     "os"
  10. )
  12. func main() {
  13.     certCerFile, err := os.Open("jan.newmarch.name.cer")
  14.     checkError(err)
  15.     derBytes := make([]byte, 1000) // bigger than the file
  16.     count, err := certCerFile.Read(derBytes)
  17.     checkError(err)
  18.     certCerFile.Close()
  20.     // trim the bytes to actual length in call
  21.     cert, err := x509.ParseCertificate(derBytes[0:count])
  22.     checkError(err)
  24.     fmt.Printf("Name %s\n", cert.Subject.CommonName)
  25.     fmt.Printf("Not before %s\n", cert.NotBefore.String())
  26.     fmt.Printf("Not after %s\n", cert.NotAfter.String())
  28. }
  30. func checkError(err error) {
  31.     if err != nil {
  32.         fmt.Println("Fatal error ", err.Error())
  33.         os.Exit(1)
  34.     }
  35. }