When a client sends an HTTPs request to a TLS server, the client verifies the server's certificate during the handshake. To do so, the client side must have a root CA certificate. However, for many OS such as Linux, Mac OS or Windows, the system usually automatically loads a set of root CAs after installation. So depending on the http clients you use, you may not need to provide a root CA manaually, for example, a browser or curl. Golang http client loads root CAs by default, so you don't need to provide any thing for it.
// /go/src/crypto/x509/root.go var ( once sync.Once systemRoots *CertPool systemRootsErr error ) func systemRootsPool() *CertPool { once.Do(initSystemRoots) return systemRoots } func initSystemRoots() { systemRoots, systemRootsErr = loadSystemRoots() if systemRootsErr != nil { systemRoots = nil } }
In crypto/x509/root.go, systemRoots is initialized by loadSystemRoots() function.
// go/src/crypto/x509/root_unix.go func loadSystemRoots() (*CertPool, error) { roots := NewCertPool() files := certFiles if f := os.Getenv(certFileEnv); f != "" { files = []string{f} } //... omitted }
loadSystemRoots() looks up system root CAs first and then environment virables. The certFiles is the preloaded rootCAs as in crypto/x509/root_linux.go.
// go/src/crypto/x509/root_linux.go package x509 // Possible certificate files; stop after finding one. var certFiles = []string{ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6 "/etc/ssl/ca-bundle.pem", // OpenSUSE "/etc/pki/tls/cacert.pem", // OpenELEC "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 }
An example of https request.
func main() { client := http.Client{} resp, err := client.Get("https://yiznix.com") if err != nil { fmt.Println(err) } defer resp.Body.Close() data, err := ioutil.ReadAll(resp.Body) if err != nil { fmt.Printf("ERR: %v", err) } fmt.Println(string(data)) }
test4
test 5
test6
test7
test 8
test
test 9