I am trying to make a client/server pair using crypto/tls, and if using
tls.RequireAndVerifyClientCert in my tls.Config, the server requires the
client cert to have extended key usage for client authentication set. But,
tls.LoadX509KeyPair and x509.ParseCertificate both fail for certificates
generated by openssl with option '-addtrust clientAuth'. I have not tried
to construct an x509 with crypto/x509 to see if that makes a different
format from openssl. The parsing error seems to be coming from
encoding/asn1's Unmarshal, but that's as far as I have tracked it down...
When I try to Unmarshal the pem.Block manually, I get errors even for the
ones that succeed with tls.LoadX509KeyPair and x509.ParseCertificate.
See https://github.com/mbanack/x509loader for certs, sample loading code
(loadcert.go), and the openssl commands which generated the certs (using
It is entirely possible I am just doing something silly, but I could use
another set of eyes.