40

crypto/tls.Config.RootCAs states

// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root CA set.

On Linux, where are "the host's root CA set" picked up from? I need to know this to be able to globally add another root CA to trust.

Ztyx
  • 14,100
  • 15
  • 78
  • 114
  • This is a system configuration thing; Go has nothing to do with it. It's the same for all programming languages, and depends on how your system is configured. – joshlf Oct 14 '16 at 20:19
  • 2
    Okay, how does it figure out how my system is configured? – Ztyx Oct 14 '16 at 20:21
  • Well, on Darwin, the relevant file is in the `x509` package: [`root_cgo_darwin.go`](https://golang.org/src/crypto/x509/root_cgo_darwin.go) – joshlf Oct 14 '16 at 20:21
  • 3
    Found the answer. Wrote an answer to my question. – Ztyx Oct 14 '16 at 20:23

4 Answers4

65

It searches through the following locations: https://golang.org/src/crypto/x509/root_linux.go

excerpt

// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package x509

// Possible certificate files; stop after finding one.
var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
    "/etc/ssl/cert.pem",                                 // Alpine Linux
}
slm
  • 15,396
  • 12
  • 109
  • 124
Ztyx
  • 14,100
  • 15
  • 78
  • 114
  • 5
    Note that additional root keys are read from the files in the directories `certDirectories` defined in the same .go-file. Specifically, this list includes `/etc/ssl/certs` and `/etc/pki/tls/certs`. Both `certFiles` and `certDirectories` can be overridden with environment variables (`SSL_CERT_FILE` and `SSL_CERT_DIR`, respectively). – matz Aug 11 '21 at 08:00
10

You can also set environment variable "SSL_CERT_FILE" to let Golang use your custom certificate file.

Linden X. Quan
  • 584
  • 5
  • 18
5

In the more recent versions of Golang, in addition to the above already mentioned certificate paths, Golang will also search for a common set of directories for any cert PEMs:

/etc/ssl/certs                 // SLES10/SLES11
/etc/pki/tls/certs             // Fedora/RHEL
/system/etc/security/cacerts   // Android

The paths for Linux OS are defined here: https://golang.org/src/crypto/x509/root_linux.go. The actual lookup and adding of certs happens here: https://golang.org/src/crypto/x509/root_unix.go.

Saad Malik
  • 1,598
  • 1
  • 18
  • 20
4

These are the locations; stop after finding one:

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux
Bill Zelenko
  • 2,606
  • 1
  • 17
  • 26