Where is Golang picking up root CAs from?

It searches through the following locations: https://golang.org/src/crypto/x509/root_linux.go

excerpt

// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package x509

// Possible certificate files; stop after finding one.
var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
    "/etc/ssl/cert.pem",                                 // Alpine Linux
}

In the more recent versions of Golang, in addition to the above already mentioned certificate paths, Golang will also search for a common set of directories for any cert PEMs:

/etc/ssl/certs                 // SLES10/SLES11
/etc/pki/tls/certs             // Fedora/RHEL
/system/etc/security/cacerts   // Android

The paths for Linux OS are defined here: https://golang.org/src/crypto/x509/root_linux.go. The actual lookup and adding of certs happens here: https://golang.org/src/crypto/x509/root_unix.go.


These are the locations; stop after finding one:

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem",                                 // Alpine Linux

You can also set environment variable "SSL_CERT_FILE" to let Golang use your custom certificate file.

Tags:

Go

Recent Posts