Now we're onto the topic of TLS chain of trust. The full answer is complicated.
In your case, I think the answer is Yes. Say you have RootCA which signs SubCA which signs ServerCert. When your server serves on the internet, it can present just ServerCert to the clients, and if the clients know (SubCa, RootCA), then the server doesn't need to present them. If the clients only trust (RootCA), then the server would have to present (ServerCA, SubCA) to the clients in order to build the chain of trust. All the certificates involved in a connection must be presented, but where you stop checking the chain is up to you. Have a look here as starting points. https://ericchiang.github.io/post/go-tls/ https://security.stackexchange.com/questions/130847/how-tls-certificate-chain-is-verified On Tue, Apr 30, 2019 at 1:12 PM Vasiliy Tolstov <v.tols...@selfip.ru> wrote: > вт, 30 апр. 2019 г. в 23:01, Marcin Romaszewicz <marc...@gmail.com>: > > > > Look at the ""crypto/x509" package, specifically at CertPool. You would > load your CA public cert and intermediate cert's into a CertPool. > > > > Once you have a CertPool, you can use it in tls.Config to configure your > TLS connections. Given a valid certificate chain, Go will automatically > validate server TLS certificates. If you want client cert validation, you > have to enable it ( > https://golang.org/src/crypto/tls/common.go?s=8208:8231#L227) > > > > Is that what you were looking for? > > > > Thanks looks fine, but does i need to always have root ca to trust > intermediate certs? Or if i have custom validation in tls.Config i > don't need it? > For example i'm pass root ca fingerprint to service, does it possible > to trust all intermediates if they issued by root CA that have the > same fingerprint ? > > -- > Vasiliy Tolstov, > e-mail: v.tols...@selfip.ru > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
