crypto/tls.Config.RootCAs 说明
// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root CA set.
在Linux中,“主机的根CA集”从哪里获取?我需要知道这一点,以便能够全局添加另一个根CA来建立信任。
它会在以下位置进行搜索:https://golang.org/src/crypto/x509/root_linux.go
摘录
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509
// Possible certificate files; stop after finding one.
var certFiles = []string{
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem", // Alpine Linux
}
certDirectories目录中的文件中读取。具体来说,此列表包括/etc/ssl/certs和/etc/pki/tls/certs。
certFiles和certDirectories均可通过环境变量(分别为SSL_CERT_FILE和SSL_CERT_DIR)进行覆盖。 - matz您还可以设置环境变量 "SSL_CERT_FILE" 以让 Golang 使用您自定义的证书文件。
/etc/ssl/certs // SLES10/SLES11
/etc/pki/tls/certs // Fedora/RHEL
/system/etc/security/cacerts // Android
Linux操作系统的路径在这里定义:https://golang.org/src/crypto/x509/root_linux.go。实际的证书查找和添加发生在这里:https://golang.org/src/crypto/x509/root_unix.go。
以下是位置信息,找到一个后停止:
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem", // Alpine Linux
x509包中:root_cgo_darwin.go。 - joshlf