Hi Michael, See the 9th bullet point under https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake
and https://en.wikipedia.org/wiki/Mutual_authentication In short, client certs are just like server certs. Any cert is a public key signed by a (Certificate Authority) private key. The corresponding CA public key is used to verify the signature on the client cert (in TLS). The client cert is then used to verify (during the TLS handshake) that the client possess the private key corresponding to the client cert public key. To summarize, client certs, like server certs, are built into TLS. They provide for mutual authentication. Most web sites use other forms of client (user) authentication, because of the hassle involved in configuring a web browser to obtain and deploy client certs. If you want to play with them, I wrote a convenient tool called selfy that can readily generate CA key pairs and certs; here: https://github.com/glycerine/rpc25519/tree/master/cmd/selfy with description here: https://github.com/glycerine/rpc25519/tree/master?tab=readme-ov-file#the-selfy-tool-create-new-keys-quickly-view-certificates Here is how you use them in code (including password protection checking): https://github.com/glycerine/rpc25519/blob/bace3bc59bb7a31561687d32f33a36af146994ed/selfcert/step6_loadkeypair.go#L31 Best, Jason On Saturday, July 19, 2025 at 12:19:37 PM UTC+2 Michael Oguidan wrote: > Hi, i will like to follow this with you but i would like to know what's > client certificate > > On Thursday, July 17, 2025 at 5:06:25 AM UTC Vinnie Vertongen wrote: > >> The `crypto/tls` library will not configure the client certificate if the >> signing certificate authority is not present in the list provided by the >> server in `CertificateRequest`. The current implementation causes the >> `remote error: tls: certificate required` error making debugging the >> underlying CA issue difficult. >> >> Additional notes: >> >> 1. The library code in handshake.go intentionally does not configure the >> certificate if there is no match >> 2. The error is as expected `remote error: tls: unknown certificate >> authority` if you downgrade the client to TLS v1.2 >> 3. The behaviour seems intentional and so I didn't want to raise a bug >> ticket - but I think this needs an improvement (Config option?) to assist >> in debugging - it's confusing without reading the library code to >> understand the issue >> >> >> ``` >> package main >> >> import ( >> "crypto/tls" >> "fmt" >> "log" >> "net/http" >> ) >> >> func main() { >> clientCert, err := tls.LoadX509KeyPair("certificate", "key") >> if err != nil { >> log.Fatalf("Failed to load client certificate: %v", err) >> } >> >> tlsConfig := &tls.Config{ >> Certificates: []tls.Certificate{clientCert}, >> ServerName: "localhost", >> } >> client := &http.Client{ >> Transport: &http.Transport{ >> TLSClientConfig: tlsConfig, >> }, >> } >> resp, err := client.Get("https://localhost:8443";) >> if err != nil { >> log.Printf("TLS Error: %v", err) >> return >> } >> >> fmt.Printf("%v\n", resp.Status) >> } >> ``` >> >> Example HAProxy configuration: >> ``` >> global >> daemon >> >> defaults >> mode http >> timeout connect 5000ms >> timeout client 50000ms >> timeout server 50000ms >> >> frontend mtls_frontend >> # Client certificate CA not present (remote error: tls: certificate >> required) >> bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify required >> ca-file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem >> # Client certificate CA present (success) >> #bind *:8443 ssl crt /etc/ssl/certs/haproxy-server.pem verify >> required ca-file /etc/ssl/certs/chain.pem >> default_backend web_servers >> >> backend web_servers >> server web1 127.0.0.1:8080 check >> ``` >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/d118a533-20c3-46a5-8845-ac087f3d27ean%40googlegroups.com.
