вт, 30 апр. 2019 г. в 23:30, Marcin Romaszewicz <marc...@gmail.com>: > > Now we're onto the topic of TLS chain of trust. The full answer is > complicated. > > In your case, I think the answer is Yes. > > Say you have RootCA which signs SubCA which signs ServerCert. > > When your server serves on the internet, it can present just ServerCert to > the clients, and if the clients know (SubCa, RootCA), then the server doesn't > need to present them. If the clients only trust (RootCA), then the server > would have to present (ServerCA, SubCA) to the clients in order to build the > chain of trust. All the certificates involved in a connection must be > presented, but where you stop checking the chain is up to you. > > Have a look here as starting points. > https://ericchiang.github.io/post/go-tls/ > https://security.stackexchange.com/questions/130847/how-tls-certificate-chain-is-verified > >
Thank you for help. Now i think that i have all needed pieces and next steps is to write simple code that acts like i need =) -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
