导出 java ca 证书，以便它可以从 go 中使用

Question

I need to integrate java service with go app, which can be configured to specify the CA certificate file to use when checking TLS. I'm not familiar with go. The Java rest endpoint is secured with self-signed certificate.

I'm trying to export it using keytool like this:

keytool -export -alias rootca -file ca.crt -keystore cacerts

The ca.crt file is checkable with keytool itself with command:

keytool -printcert -v -file ca.crt

Now when I try to use this file in go app, which is prometheus by passing tls_config with ca_cert value pointing to exported file I get an error:

err="error creating HTTP client: unable to use specified CA cert /etc/prometheus/ssl/ca.crt"

The Prometheus is using the the go's standart crypto/tls so my questions is:

• Is the way I exported Java file is correct and usable?
• How can I translate exported Java CA file to the format that Go will understand and use?

Answer 1

Per the man page for keytool , under the -exportcert command:

The certificate is by default output in binary encoding.

The encoding in question is DER which is a binary representation of the certificate data.

However, the Go standard library expects PEM encoding which is just base64 of the DER data plus some header/footer.

You have (at least) two options:

Tell keytool to export in PEM format

This is done using the -rfc flag to the -exportcerts command. Per the man page:

If the -rfc option is specified, then the output in the printable encoding format defined by the Internet RFC 1421 Certificate Encoding Standard.

RFC1421 is the one for PEM.

Convert from DER to PEM

This can be done using openssl using the following:

openssl -in exported_file.der -inform DER -out ca.crt