Testing with TLS

Generate Self-Signed Certs for https Testing

If you wish to perform local https-based testing, it is possible to do so through the use of self-signed certificates. Self-signed certificates can be easily created through the use of the openssl tool on *nix systems.

Verify the OpenSSL Installation

Open a terminal session and verify that openssl is available:

which -a openssl
/usr/bin/openssl

If openssl is not shown in the ‘which’ command output, check your path to ensure you have access to /usr/bin or /usr/local/bin. If you have access to the ./bin directories, but still cannot find the openssl tool, it can be downloaded from https://www.openssl.org/source/ . Follow the directions on the site to correctly download and install the tool.

Generate a Private Certificate Authority (CA) Certificate Key

Open a terminal session and execute the openssl command as shown:

openssl genrsa -out "myCA.key" "2048"
Generating RSA private key, 2048 bit long modulus
...................................+++
..........................................................................................+++
e is 65537 (0x10001)

Verify that a file called “myCA.key” has been created.

Generate a Private Certificate Authority (CA) Certificate

Open a terminal session and execute the openssl command as shown:

openssl req -x509 -new -days 365 -key "myCA.key" -out "myCA.cer" -subj "/CN=\""MyCompanyName"\""

There is no output to this command, so verify that a file called “myCA.cer” has been created.

Generate a Private Server Key

Open a terminal session and execute the openssl command as shown:

openssl genrsa -out "srvcert.key" "2048"
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
.....+++
e is 65537 (0x10001)

Verify that a file called “srvcert.key” has been created.

Create a Private Server Certificate Signing Request

This generates an intermediate certificate signing request file (.csr) based on the Private Server Key created in the previous step. The creation of the CSR is an interrogative process, but for self-signed testing, most of the inputs can safely be ignored. Follow the prompts as per the example shown below:

openssl req -new -key srvcert.key -out srvcert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:AB
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgets Ltd]:MyCompany
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Verify that a file called “srvcert.crt” has been created.

Create a Private Server Certificate

This is the final step in getting the required certificate and key files to support local https testing. In this step, the CA certificate and private key files will be used in conjunction with the private server key and private server signing-request to generate a private server certificate. Execute the following command in your terminal session:

openssl x509 -req -in srvcert.csr -out srvcert.cer -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial 123456
Signature ok
subject=/C=CA/ST=AB/O=MyCompany
Getting CA Private Key

Verify that a file called “srvcert.cer” has been created.

Ensure myCA.cer is Trusted Locally

Ensure that myCA.cer is fully-trusted in your local certificate store. The process to do this will differ per operating system, so look online for instructions regarding ‘trusting a self-signed CA certificate’. You may also need to adjust the settings in test tools like Postman in order for them to accept self-signed certs.

Add Certificates to the Configuration File

In order to publish the generated services over https, add the “srvcert.cer” and “svrcert.key” files to the ‘cert_file’ and ‘key_file’ keys respectively in the appropriate configuration file. Additionally, the myCA.key file must be placed in the same directory as the “srvcert.*” files in order for go’s https (TLS) server to operate correctly.