Goalng CA certificate and HTTPs requests

When a client sends  an HTTPs request to a TLS server, the client verifies the server's certificate during the handshake. To do so, the client side must have a root CA certificate.  However, for many OS such as Linux, Mac OS or Windows, the system usually automatically loads a set of root CAs after installation. So depending on the http clients you use, you may not need to provide a root CA manaually, for example, a browser or curl. Golang http client loads root CAs by default, so you don't need to provide any thing for it.

// /go/src/crypto/x509/root.go

var (    
    once           sync.Once
    systemRoots    *CertPool
    systemRootsErr error
func systemRootsPool() *CertPool {
    return systemRoots
func initSystemRoots() {
    systemRoots, systemRootsErr = loadSystemRoots()
    if systemRootsErr != nil {
        systemRoots = nil                                                                                                   

In crypto/x509/root.go, systemRoots is initialized by loadSystemRoots() function. 

// go/src/crypto/x509/root_unix.go

func loadSystemRoots() (*CertPool, error) {
    roots := NewCertPool()
    files := certFiles
    if f := os.Getenv(certFileEnv); f != "" {
        files = []string{f}

//... omitted


loadSystemRoots() looks up system root CAs first and  then environment virables. The certFiles is the preloaded rootCAs as in crypto/x509/root_linux.go.

// go/src/crypto/x509/root_linux.go

package x509
// Possible certificate files; stop after finding one.
var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7

An example of https request.

func main() {       
    client := http.Client{}
    resp, err := client.Get("https://yiznix.com")
    if err != nil { 
    defer resp.Body.Close()
    data, err := ioutil.ReadAll(resp.Body)
    if err != nil { 
        fmt.Printf("ERR: %v", err)



  Anonymous user  May 30, 2019


  Anonymous user  May 30, 2019

test 5

  Anonymous user  May 30, 2019


  Anonymous user  May 30, 2019


  Anonymous user  May 30, 2019

test 8

  changer  May 30, 2019


  Anonymous user  May 30, 2019

test 9

Write a comment

Captcha image


Type the number you see in the image above: