Documentation
¶
Overview ¶
Package certs provides TLS configuration building from explicit certificate file paths. It has no environment or deployment assumptions — callers supply all paths directly.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
CACert string // path to CA certificate file
TLSCert string // path to TLS certificate file
TLSKey string // path to TLS private key file
}
Config holds explicit file paths for the CA cert, TLS cert, and TLS key. The same cert/key pair is used for both client and server roles in mTLS.
func (Config) ServerTLSConfig ¶
ServerTLSConfig builds a server-side tls.Config from the explicit file paths in c. Certificates is set so the server can present its certificate during the TLS handshake. ClientAuth and ClientCAs are set to require and verify the client certificate.
func (Config) TLSConfig ¶
TLSConfig builds a client-side tls.Config from the explicit file paths in c. RootCAs is set to verify the server certificate. GetClientCertificate is used instead of Certificates to ensure the client always presents its certificate during the TLS handshake. With the Certificates field, Go's TLS stack only selects a certificate if its issuer matches the acceptable CA list sent by the server in its CertificateRequest message. When no match is found, Go silently sends an empty certificate list, causing the server to reject the connection with "certificate required". GetClientCertificate bypasses this matching and unconditionally returns the certificate, leaving verification to the server.
Source Files