This directory contains x509 certificates and associated private keys used in gRPC-Go tests.
$ export OPENSSL_CONF=${PWD}/openssl.cnf
$ openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout ca_key.pem \
-out ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-ca/ \
-config ./openssl.cnf \
-extensions test_ca
To view the CA cert:
$ openssl x509 -text -noout -in ca_cert.pem
2.a Generate a private key for the server:
$ openssl genrsa -out server_key.pem 4096
2.b Generate a private key for the client:
$ openssl genrsa -out client_key.pem 4096
3.a Generate a CSR for the server:
$ openssl req -new \ -key server_key.pem \ -days 3650 \ -out server_csr.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server/ \ -config ./openssl.cnf \ -reqexts test_server
To view the CSR:
$ openssl req -text -noout -in server_csr.pem
3.b Generate a CSR for the client:
$ openssl req -new \ -key client_key.pem \ -days 3650 \ -out client_csr.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client/ \ -config ./openssl.cnf \ -reqexts test_client
To view the CSR:
$ openssl req -text -noout -in client_csr.pem
4.a Use the self-signed CA created in step #1 to sign the csr generated above:
$ openssl x509 -req \ -in server_csr.pem \ -CAkey ca_key.pem \ -CA ca_cert.pem \ -days 3650 \ -set_serial 1000 \ -out server_cert.pem \ -extfile ./openssl.cnf \ -extensions test_server
4.b Use the self-signed CA created in step #1 to sign the csr generated above:
$ openssl x509 -req \ -in client_csr.pem \ -CAkey ca_key.pem \ -CA ca_cert.pem \ -days 3650 \ -set_serial 1000 \ -out client_cert.pem \ -extfile ./openssl.cnf \ -extensions test_client
5.a Verify the server_cert.pem is trusted by ca_cert.pem:
$ openssl verify -verbose -CAfile ca_cert.pem server_cert.pem
5.b Verify the client_cert.pem is trusted by ca_cert.pem:
$ openssl verify -verbose -CAfile ca_cert.pem client_cert.pem