If everything is done according to standard Feng Shui, then there are no differences from ordinary OpenSSL tutorials :
0. If there is no ready-made CA (Certificate Authority), then we generate a new one: ecdsa.GenerateKey()+ x509.CreateCertificate()(self-signed) .
1. We generate a private key PK (Private Key) for our certificate: ecdsa.GenerateKey().
2. Generate a request to create a CSR (Certificate Signing Request): x509.CreateCertificateRequest(). As CN (Common Name) , we indicate the address at which we will knock on the application. If there are several such addresses, then we use the SAN extension in the certificate template.
3. We take CA and issue ourselves a certificate according to the generated CSR: x509.CreateCertificate().
4. We use the certificate for TLS: http.ServeTLS().
We save the private key and certificate (both ours and CA) to any desired directory in the file system. At the same time, we set the rights to private keys 0600. If this is a one-time thing, then you can also go to the temporary directory ( os.TempDir()) so as not to litter.
If this is just to play around, and it is not supposed to build your own PKI ( Public Key Infrastructure ), then you can not bother with CA / CSR, but immediately issue a self-signed certificate with the CN / SAN you need. That is, only the zero step remains.
If our application is poked into the outside world not "naked", but covered by some kind of proxy server (for example, Nginx), which, in principle, is even a recommended practice, then the certificate can be connected for our host right there, and the application can be left to itself without TLS. In this case, Nginx will decrypt the traffic at home and forward unencrypted traffic to the application. This is called TLS termination .
If we want encrypted traffic to continue between the proxy server and our application, then the proxy server needs to feed our CA certificate in the settings, or disable CA verification.