第一步：生成CA、服务端、客户端证书

1. 生成CA根证书

• 生成CA证书私钥

openssl genrsa -out ca.key 4096

• 创建ca.conf 文件

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost

• 生成根证书签发申请文件(csr文件)

openssl req \-new \-sha256 \-out ca.csr \-key ca.key \-config ca.conf

• 生成自签发根证书(crt文件)

openssl x509 \-req \-days 3650 \-in ca.csr \-signkey ca.key \-out ca.pem

2. 生成服务端证书

• 生成服务端私钥

openssl genrsa -out server.key 2048

• 创建 server.conf 文件

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost    # 此处尤为重要，需要用该服务名字填写到客户端的代码中[ req_ext ]
subjectAltName = @alt_names[alt_names]
DNS.1   = localhost
IP.1      = 127.0.0.1

• 生成服务端签发申请文件(csr文件)

openssl req \-new \-sha256 \-out server.csr \-key server.key \-config server.conf

• 使用CA证书签署服务器证书

openssl x509 \-req \-days 3650 \-CA ca.pem \-CAkey ca.key \-CAcreateserial \-in server.csr \-out server.pem \-extensions req_ext \-extfile server.conf

3. 生成客户端证书

• 生成客户端私钥

openssl genrsa -out client.key 2048

• 创建 client.conf 文件

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost

• 生成客户端端签发申请文件(csr文件)

openssl req \-new \-sha256 \-out client.csr \-key client.key \-config client.conf

• 使用CA证书签署客户端器证书

openssl x509 \-req \-days 3650 \-CA ca.pem \-CAkey ca.key \-CAcreateserial \-in client.csr \-out client.pem

第二步：golang 服务端、客户端代码编写

1. 项目目录结构

2. 服务端代码：server.go

package mainimport ("crypto/tls""crypto/x509""fmt""net/http""os"
)type MyHandler struct {
}func (h *MyHandler) ServeHTTP(w http.ResponseWriter,r *http.Request) {fmt.Fprint(w, "Hello, HTTPS!")
}func main() {pool := x509.NewCertPool() // 创建证书池caCertPath := "./cert/ca.pem"caCrt, err := os.ReadFile(caCertPath) // 读取本地CA证书文件if err != nil {fmt.Println("ReadFile err:", err)return}pool.AppendCertsFromPEM(caCrt) // 将证书添加到证书池中s := &http.Server{ // 创建 HTTP服务器实例，并设置服务器的监听地址（本例中是127.0.0.1:8088）、处理器（即上面定义的myhandler结构体）、以及TLS配置。Addr:    "127.0.0.1:8088",Handler: &MyHandler{},TLSConfig: &tls.Config{ClientCAs:  pool,                           // 指定客户端需要验证的CA证书池（即上面创建的pool）ClientAuth: tls.RequireAndVerifyClientCert, // 要求客户端在发送请求时必须携带证书},}err = s.ListenAndServeTLS("./cert/server.pem", "./cert/server.key")if err != nil {fmt.Println("ListenAndServeTLS err:", err)}
}

3. 客户端代码：client.go

package mainimport ("crypto/tls""crypto/x509""fmt""io""net/http""os"
)func main() {pool := x509.NewCertPool()    // 创建 x509.CertPool，用于存储CA证书caCertPath := "./cert/ca.pem" // 从文件中读取CA证书的内容caCrt, err := os.ReadFile(caCertPath)if err != nil {fmt.Println("ReadFile err:", err)return}pool.AppendCertsFromPEM(caCrt)                                               // 将CA证书添加到CertPool中cliCrt, err := tls.LoadX509KeyPair("./cert/client.pem", "./cert/client.key") //加载客户端证书和私钥if err != nil {fmt.Println("Loadx509keypair err:", err)return}tr := &http.Transport{ // 创建一个http.Transport，并配置TLS相关信息TLSClientConfig: &tls.Config{RootCAs:      pool,                      // 设置根证书池Certificates: []tls.Certificate{cliCrt}, // 设置客户端证书和私钥},}client := &http.Client{Transport: tr}             // 创建一个http.Client，并设置Transport为上面创建的Transport对象resp, err := client.Get("https://127.0.0.1:8088") // 使用创建的Client发送GET请求if err != nil {fmt.Println("Http Get error:", err)return}defer resp.Body.Close()body, err := io.ReadAll(resp.Body) // 读取并打印响应体的内容fmt.Println(string(body))
}

第三步：验证

1. 运行服务端

go run ./server/server.go

2. 运行客户端

运行客户端

go run ./client/client.go