Hitless TLS Certificate Rotation in Go | by Sanad Haj | Jun, 2022

On this tutorial, we’ll be discussing the way to deal with certificates rotation in Golang with none downtime.

Photograph by Joanna Kosinska on Unsplash

Certificates rotation means the alternative of current certificates with new ones.

There’s an outdated TLS maxim that states that:

If a certificates received issued, it must be rotated.

Nicely, It’s wanted when:

  • Any certificates expires.
  • A brand new CA authority is substituted for the outdated; thus requiring a alternative root certificates for all providers.
  • New or modified constraints should be imposed on a number of certificates.
  • A safety breach has occurred, such that current certificates chains can now not be trusted.

Rotating TLS certificates manually might shortly get out of hand — notably when it’s a must to handle lots of of certificates — and turns into utterly unmanageable in the event you problem certificates that expire inside hours, as an alternative of months.

tlsreconciler is right here to assist with that, by reloading rotated certificates together with root CA and offering TLS reconciliation to connections in real-time and with out restarting the appliance.

We’re going to begin by creating our venture.

mkdir medium && cd medium && go mod init medium && contact primary.go

This may create a brand new listing known as “medium” and initialize the venture with go.mod.

We additionally want to put in tlsreconciler.

go get github.com/shaj13/tlsreconciler

Earlier than we write any certificates rotation code we have to write some obligatory code that describes our tutorial program.

bundle primary

import (


func HelloMedium(w http.ResponseWriter, req *http.Request)
w.Header().Set("Content material-Kind", "textual content/plain")
w.Write([]byte("Hiya Medium.n"))

func primary()

config := new(tls.Config)
server := http.Server
Addr: ":443",
Handler: http.HandlerFunc(HelloMedium),
TLSConfig: config,

err := server.ListenAndServeTLS("", "")
if err != nil

Operating this system will return the next error.

open : no such file or listing

Mainly, this error returned from http.ListenAndServeTLS as a result of we have now initialized server with empty tls.Config, So it is fallback to certs paths arguments that aren’t outlined, will repair that later.

We have to make our program to catch SIGHUB so we are able to reload the rotated certs.

This may be completed, like so:

sigc := make(chan os.Sign, 1)
defer shut(sigc)

sign.Notify(sigc, syscall.SIGHUP)

Now, we have to configure tlsreconciler, like so.

sig := tlsreconciler.WithSIGHUPReload(sigc)
certs := tlsreconciler.WithCertificatesPaths("./cert", "./key", "")
cb := tlsreconciler.WithOnReload(func(c *tls.Config)
log.Println("TLS certificates rotated !!")

The above create tlsreconciler configuration to reload certificates when an SIGHUB obtained and name our callback operate to print a reasonably log entry beside to reload certs from the given paths.

Its time to attach the dots, we have to change the next line:

config := new(tls.Config)

With returned tls.Config from tlsreconciler:

config := tlsreconciler.TLSConfig(sig, certs, cb)

Your file now ought to appear to be this.

First let’s generate a certificates and personal key:

openssl genrsa -out ./key 2048
openssl req -new -x509 -sha256 -key ./key -out ./cert -days 3650

Now let’s run our program:

go construct primary.go

From a distinct shell let’s ship an HTTPS request:

curl -k

In this system logs, you’ll find out the next log entry “TLS certificates rotated !!”.

This occurred as a result of tlsreconciler has reloaded certificates for the primary time, operating extra curls will now not print the above log entry.

Now let’s examine the rotation, for that we are going to use openssl to indicate certificates

openssl s_client -showcerts -connect 2>&1|openssl x509 -noout -serial

The above command will print the certificates serial quantity.

Let’s rotate certificates by producing new ones utilizing openssl and sending SIGHUP to our program

rm -rf ./key ./cert 
openssl genrsa -out ./key 2048
openssl req -new -x509 -sha256 -key ./key -out ./cert -days 3650
kill -SIGHUP <PID>

Now let’s confirm the serial quantity is completely different from the earlier one

openssl s_client -showcerts -connect 2>&1|openssl x509 -noout -serial

More Posts