Authenticate the Client with Mutual TLS Authentication

Distributed Services with Go — by Travis Jeffery (41 / 84)

👈 Authenticate the Server with TLS | TOC | Authorize with Access Control Lists 👉

In the previous section, we used TLS to encrypt our connections and authenticate the server. Now we’ll go one step further and implement mutual TLS authentication (also known as two-way authentication) so the server will use our CA to verify that the client is authentic.

The first thing we need is a cert for our client, which we can generate with cfssl and cfssljson just like our CA and server’s certificates. Put the following JSON in a file called client-csr.json in your test directory:

SecureYourServices/test/client-csr.json

​ {
​     ​"CN"​: ​"client"​,
​     ​"hosts"​: [​""​],
​     ​"key"​: {
​         ​"algo"​: ​"rsa"​,
​         ​"size"​: 2048
​     },
​     ​"names"​: [
​         {
​             ​"C"​: ​"CA"​,
​             ​"L"​: ​"ON"​,
​             ​"ST"​: ​"Toronto"​,
​             ​"O"​: ​"My Company"​,
​             ​"OU"​: ​"Distributed Services"​
​         }
​     ]
​ }

The CN field is the important config because that’s the client’s identity — their username, in a sense. This is the identity we’ll store their permissions under for authorization. (We’ll do this in the next section.)

Next, update the gencert target in your Makefile, to include the following snippet. Place…