Use make your own *http.Client with its own *http.Transport as the RoundTripper and set net/http.Transport.Dial to use crypto/tls.Dial with a *tls.Config which includes Certificates.

We probably won't make this any easier, as it's an uncommon request and already composeable with the pieces provided.

I'm sorry if I wasn't clear enough, but I did specify that this was for the server-side. Not client. (As in, the Go HTTPS server library being able to authenticate connecting clients).

Though after some digging it looks like it can possibly be modified here where the config is specified.

Combined with some of the logic pulled from here

You may want to spend a few extra seconds reading the issue before closing it next time, hmm?

Sorry. Can't you just check the request.TLS field to see the cert presented?

Yeah, looks like I can. In this bit of code, however, it looks like the config is built with the client authentication in mind. In ListenAndServeTLS, there is this where the configuration is passed in. I could see a function like:

http.ListenAndServeTLSAuth(":8080", nil, "clientcerts.pem")

... being something that could be useful with little modification needed to add the extra step to specify:

config.ClientAuth = tls.RequireAndVerifyClientCert

Looks like this too suffices:

package main

import (
    "crypto/tls"
    "fmt"
    "net/http"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello cert")
    })

    server := &http.Server{
        Addr: ":8090",
        TLSConfig: &tls.Config{
            ClientAuth: tls.RequireAndVerifyClientCert,
        },
    }

    server.ListenAndServeTLS("cert.pem", "cert.key")
}