0

I found it explaining Linux: Where is Golang picking up root CAs from?

I want to understand how it's done on MacOS. Thanks.

Code Korenge
  • 333
  • 1
  • 3
  • 13
  • The answer you linked to says that the certificate roots for Linux are defined in `root_linux.go`. It's not hard to guess what the filename for macOS/Darwin would be. Have you looked there? – Jörg W Mittag Jun 28 '23 at 06:08
  • In root_linux.go the paths and directories are available (e.g. /etc/ssl/certs). But none found in root_darwin.go. The root cause is, I'm behind company's proxy (Zscaler) and need to send the correct cacert.pem. I want to understand how Golang is including the cert first before asking for help. Thanks @JörgWMittag – Code Korenge Jun 28 '23 at 08:25

1 Answers1

3

On macOS (and also Windows), Go does not load root certificates from the filesystem. Instead, Certificate.Verify calls c.systemVerify which uses APIs provided by the OS to validate certificates.

Peter
  • 29,454
  • 5
  • 48
  • 60
  • Thanks @Peter for pointing out, appreciate!! My take is, macOS going to return sets of certs from its 'internal secret location' (certs := macOS.CFArrayCreateMutable()). Anyway to override and pass custom certs? – Code Korenge Jun 29 '23 at 07:47
  • 1
    Yes. Set [tls.Config.RootCAs](https://pkg.go.dev/crypto/tls#Config.RootCAs). – Peter Jun 29 '23 at 09:06