證書的key是可以加密保存的,我們需要進行解密加載
func MyLoadX509KeyPair(certFile, keyFile, password string) (tls.Certificate, error) {
certPEMByte, err := ioutil.ReadFile(certFile)
if err != nil {
return tls.Certificate{}, err
}
keyPEMByte, err := ioutil.ReadFile(keyFile)
if err != nil {
glog.Errorf("read %s failed! err: %s", keyFile, err)
return tls.Certificate{}, err
}
keyPEMBlock, rest := pem.Decode(keyPEMByte)
if len(rest) > 0 {
glog.Errorf("Decode key failed!")
return tls.Certificate{}, errors.Errorf("Decode key failed!")
}
if x509.IsEncryptedPEMBlock(keyPEMBlock) {
keyDePEMByte, err := x509.DecryptPEMBlock(keyPEMBlock, []byte(password))
if err != nil {
glog.Errorf("decrypt failed! %s", err)
return tls.Certificate{}, err
}
// 解析出其中的RSA 私鑰
key, err := x509.ParsePKCS1PrivateKey(keyDePEMByte)
if err != nil {
glog.Errorf("ParsePKCS1PrivateKey failed! %s", err)
return tls.Certificate{}, err
}
// 編碼成新的PEM 結構
keyNewPemByte := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
},
)
return tls.X509KeyPair(certPEMByte, keyNewPemByte)
} else {
return tls.X509KeyPair(certPEMByte, keyPEMByte)
}
}
證書key進行增加密碼或者去掉密碼的操作方式
1、檢測ssl.key 密碼是否正確
openssl rsa -text -noout -in server.key 命令輸出: Private-Key: (2048 bit) modulus: 00:b0:fd:c2:81:60:3f:d2:dc:fe:2d:34:c6:46:1e: 08:72:c3:78:f3:4d:12:16:b9:39:3e:0b:d3:8b:e7: ...
2 . 給server.key 添加密碼
openssl rsa -des -in server.key -out encrypt.key 輸出: writing RSA key Enter PEM pass phrase: 密碼 Verifying - Enter PEM pass phrase: 再次輸入密碼 encrypt.key 這個文件就是加密過的key
3. 去掉密碼
encrypt.key 加密KEY nopassword.key 無加密 #openssl rsa -in encrypt.key -out nopassword.key writing RSA key Enter PEM pass phrase: 密碼 Verifying - Enter PEM pass phrase: 再次輸入密碼