tree: 5881816ef32419e32801e62244696ce9d1b28b1f [path history] [tgz]
  1. client1_cert.pem
  2. client1_key.pem
  3. client2_cert.pem
  4. client2_key.pem
  5. client_ca_cert.pem
  6. client_ca_key.pem
  7. create.sh
  8. openssl.cnf
  9. README.md
  10. server1_cert.pem
  11. server1_key.pem
  12. server2_cert.pem
  13. server2_key.pem
  14. server_ca_cert.pem
  15. server_ca_key.pem
testdata/x509/README.md

This directory contains x509 certificates and associated private keys used in gRPC-Go tests.

How were these test certs/keys generated ?

  1. Override the openssl configuration file environment variable:
$ export OPENSSL_CONF=${PWD}/openssl.cnf
  1. Generate a self-signed CA certificate along with its private key:
$ openssl req -x509                             \
    -newkey rsa:4096                            \
    -nodes                                      \
    -days 3650                                  \
    -keyout ca_key.pem                          \
    -out ca_cert.pem                            \
    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-ca/  \
    -config ./openssl.cnf                       \
    -extensions test_ca

To view the CA cert:

$ openssl x509 -text -noout -in ca_cert.pem

2.a Generate a private key for the server:

$ openssl genrsa -out server_key.pem 4096

2.b Generate a private key for the client:

$ openssl genrsa -out client_key.pem 4096

3.a Generate a CSR for the server:

$ openssl req -new                                \
  -key server_key.pem                             \
  -days 3650                                      \
  -out server_csr.pem                             \
  -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server/  \
  -config ./openssl.cnf                           \
  -reqexts test_server

To view the CSR:

$ openssl req -text -noout -in server_csr.pem

3.b Generate a CSR for the client:

$ openssl req -new                                \
  -key client_key.pem                             \
  -days 3650                                      \
  -out client_csr.pem                             \
  -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client/  \
  -config ./openssl.cnf                           \
  -reqexts test_client

To view the CSR:

$ openssl req -text -noout -in client_csr.pem

4.a Use the self-signed CA created in step #1 to sign the csr generated above:

$ openssl x509 -req       \
  -in server_csr.pem      \
  -CAkey ca_key.pem       \
  -CA ca_cert.pem         \
  -days 3650              \
  -set_serial 1000        \
  -out server_cert.pem    \
  -extfile ./openssl.cnf  \
  -extensions test_server

4.b Use the self-signed CA created in step #1 to sign the csr generated above:

$ openssl x509 -req       \
  -in client_csr.pem      \
  -CAkey ca_key.pem       \
  -CA ca_cert.pem         \
  -days 3650              \
  -set_serial 1000        \
  -out client_cert.pem    \
  -extfile ./openssl.cnf  \
  -extensions test_client

5.a Verify the server_cert.pem is trusted by ca_cert.pem:

$ openssl verify -verbose -CAfile ca_cert.pem  server_cert.pem

5.b Verify the client_cert.pem is trusted by ca_cert.pem:

$ openssl verify -verbose -CAfile ca_cert.pem  client_cert.pem