Authenticate the Server with TLS

Distributed Services with Go — by Travis Jeffery (40 / 84)

👈 Secure Services in Three Steps | TOC | Authenticate the Client with Mutual TLS Authe ntication 👉

You’ve now seen how TLS works and why to use it, so we’re ready to build TLS support into our service to encrypt data in-flight and authenticate the server. I’ll also cover how to make obtaining and working with certificates easier to manage.

Operate as Your Own CA with CFSSL

Before changing our server’s code, let’s get some certs. We could use a third-party certificate authority (CA) to get the certs, but that could cost money (depending on the CA) and is a hassle. For internal services (like ours), there’s no need to go through a third-party authority. Trusted certificates don’t have to come from Comodo or Let’s Encrypt or any other CA — they can come from a CA you operate yourself. It’s free and easy with the right tools.

CloudFlare[24] wrote a toolkit called CFSSL for signing, verifying, and bundling TLS certificates. CloudFlare uses CFSSL for their internal services’ TLS certificates, acting as their own certificate authority. CloudFlare open sourced CFSSL so others, including us, can use it. Even major CA vendors like Let’s Encrypt use CFSSL. Big thanks to CloudFlare because CFSSL is a seriously useful toolkit.

CFSSL has two tools we’ll need:

• cfssl to sign, verify, and bundle TLS…