Skip to content

Instantly share code, notes, and snippets.

@michaljemala
Last active September 5, 2025 07:30
Show Gist options
  • Select an option

  • Save michaljemala/d6f4e01c4834bf47a9c4 to your computer and use it in GitHub Desktop.

Select an option

Save michaljemala/d6f4e01c4834bf47a9c4 to your computer and use it in GitHub Desktop.
SSL Client Authentication Golang sample
package main
import (
"crypto/tls"
"crypto/x509"
"flag"
"io/ioutil"
"log"
"net/http"
)
var (
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
)
func main() {
flag.Parse()
// Load client cert
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
log.Fatal(err)
}
// Load CA cert
caCert, err := ioutil.ReadFile(*caFile)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Setup HTTPS client
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
// Do GET something
resp, err := client.Get("https://goldportugal.local:8443")
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
// Dump response
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Fatal(err)
}
log.Println(string(data))
}
@xeoncross

Copy link
Copy Markdown

If you name it ____.go gist will highlight the code for you.

@kentoj

kentoj commented May 21, 2015

Copy link
Copy Markdown

Why doesn't the extra comma on line 38 cause an issue?

@mholt

mholt commented May 26, 2015

Copy link
Copy Markdown

@kentoj That's correct Go syntax. Omitting the comma will cause a parse error.

ghost commented Aug 27, 2015

Copy link
Copy Markdown

What should be the file extensions for the certificate, key, and CA file?

@magiconair

Copy link
Copy Markdown

.pem ?

@SrinivasChilveri

Copy link
Copy Markdown

May I know how to generate these 3 configuration .pem files?

@gernest

gernest commented Jan 5, 2016

Copy link
Copy Markdown

@SrinivasChilveri To generate self sigend .pem files run this

go run $GOROOT/src/crypto/tls/generate_cert.go

It will generate key.pem and cert.pem for you.

@unknownsuperuser

Copy link
Copy Markdown

Does this require ssl renegotiation?

@adisheshsm

Copy link
Copy Markdown

how to get/generate ca.pem file for testing purpose

@mark-kubacki

mark-kubacki commented Feb 14, 2016

Copy link
Copy Markdown

@unknownsuperuser No, renegotiation is not required for this, nor is it implemented in Golang.

@adisheshsm Technically you don't need a CA.pem for client TLS authentication. You can get an exemplary full tree using my script, which you can download here: https://gist.github.com/mark-kubacki/c758ce1c2b8222afd69d (top right, »download ZIP«).

Just remember: Don't use golang for authentication using DH/RSA. (Writing this at a time when 1.6 is the most recent version.)

@brandong954

Copy link
Copy Markdown

Amazing! Thank you!

@VimleshS

VimleshS commented Aug 30, 2016

Copy link
Copy Markdown

good read, Thanks

@denofiend

Copy link
Copy Markdown

nqs erro: certificate signed by unknown authority

@jeyaramashok

Copy link
Copy Markdown

Thank you!

@antman1p

Copy link
Copy Markdown

Can someone tell me what these 3 vars are made of exactly exactly?
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")

I don't understand if these are supposed to be paths to pem files or what.

@AlexGoja

AlexGoja commented Mar 27, 2017

Copy link
Copy Markdown

@antman1p most likely the path to the .pem files to be used as command line arguments. Something like <command> -cert=<path> -key=<path> -CA=<path>

@duckie

duckie commented Mar 2, 2018

Copy link
Copy Markdown

Very nice snippet thank you !

@davenmth

davenmth commented Apr 5, 2018

Copy link
Copy Markdown

It simply works as expected, thank you!

@lummie

lummie commented Dec 13, 2019

Copy link
Copy Markdown

perfect, just what I need. Many Thanks.

@willyhsiung

Copy link
Copy Markdown

If I don't have access to the file system, how can I pass three pem files in text format and use in this program? (Instead of loading certificates from a file, I have three strings in pem format)

@michaljemala

Copy link
Copy Markdown
Author

@willyhsiung Use https://golang.org/pkg/crypto/tls/#X509KeyPair instead of tls.LoadX509KeyPair.

@kongpingfan

Copy link
Copy Markdown

Very useful! Help me save a lot time!

@dgsb

dgsb commented Aug 19, 2020

Copy link
Copy Markdown

Why doesn't the extra comma on line 38 cause an issue?

This is the way the go parser works, you must add an ending comma or put the closing brace at the end of the line

@SouravKabiraj

Copy link
Copy Markdown

Hi All,
I am quite new to golang.
I want to make a post request with .pfx certificate. Any leads will be extremely helpful.

@michaljemala

michaljemala commented Jan 10, 2021

Copy link
Copy Markdown
Author

Hi @SouravKabiraj

You should be able to use https://pkg.go.dev/golang.org/x/crypto/pkcs12, e.g. like this:

pfxData, err := ioutil.ReadFile(*pfxFile)
if err != nil {
	log.Fatal(err)
}
blocks, err := pkcs12.ToPEM(pfxData, "SOME_PASSWORD") // Change according to your setup
if err != nil {
	log.Fatal(err)
}
var pemData []byte
for _, b := range blocks {
	pemData = append(pemData, pem.EncodeToMemory(b)...)
}
cert, err := tls.X509KeyPair(pemData, pemData)

// then just use the `cert` as per the snippet

Alternatively, convert pfx to pem using openssl pkcs12.

@nguyenvulong

Copy link
Copy Markdown

Why do we have to use the client cert in the gist? Does it allow the server to verify the client? Will the client private key information will be sent to the server too? Thanks in advance.

	// Load client cert
	cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
	if err != nil {
		log.Fatal(err)
	}

@jirihnidek

Copy link
Copy Markdown

Why do we have to use the client cert in the gist? Does it allow the server to verify the client? Will the client private key information will be sent to the server too? Thanks in advance.

	// Load client cert
	cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
	if err != nil {
		log.Fatal(err)
	}

It is not necessary in most cases. Some clients uses cert/key pair for authenication. When you don't or cannot use this feature of TLS, then you can create tlsConfig without cert

	// Setup HTTPS client
	tlsConfig := &tls.Config{
		RootCAs:      caCertPool,
	}

@jirihnidek

Copy link
Copy Markdown

BTW: it seems that BuildNameToCertificate() is deprecated now (go 1.19.3). See: https://pkg.go.dev/crypto/tls#Config.BuildNameToCertificate

It looks like that you can just skip this call to let the library select the first compatible chain from tlsConfig.Certificates.

@rkand4

rkand4 commented Mar 24, 2023

Copy link
Copy Markdown

Hi @SouravKabiraj

You should be able to use https://pkg.go.dev/golang.org/x/crypto/pkcs12, e.g. like this:

pfxData, err := ioutil.ReadFile(*pfxFile)
if err != nil {
	log.Fatal(err)
}
blocks, err := pkcs12.ToPEM(pfxData, "SOME_PASSWORD") // Change according to your setup
if err != nil {
	log.Fatal(err)
}
var pemData []byte
for _, b := range blocks {
	pemData = append(pemData, pem.EncodeToMemory(b)...)
}
cert, err := tls.X509KeyPair(pemData, pemData)

// then just use the `cert` as per the snippet

Alternatively, convert pfx to pem using openssl pkcs12.

Also worth noting that for .pfx and the password way you would need the below. Just wanted to add more.

encoding/pem
golang.org/x/crypto/pkcs12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment