1The test credentials (CONFIRMEDTESTKEY) have been generated with the following 2commands: 3 4Bad credentials (badclient.* / badserver.*): 5============================================ 6 7These are self-signed certificates: 8 9$ openssl req -x509 -newkey rsa:2048 -keyout badserver.key -out badserver.pem \ 10 -days 3650 -nodes 11 12When prompted for certificate information, everything is default except the 13common name which is set to badserver.test.google.com. 14 15 16Valid test credentials: 17======================= 18 19The ca is self-signed: 20---------------------- 21 22$ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \ 23 -config ca-openssl.cnf -days 3650 -extensions v3_req 24When prompted for certificate information, everything is default. 25 26client is issued by CA: 27----------------------- 28 29$ openssl genrsa -out client.key.rsa 2048 30$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt 31$ openssl req -new -key client.key -out client.csr 32 33When prompted for certificate information, everything is default except the 34common name which is set to testclient. 35 36$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \ 37 -out client.pem -days 3650 38 39server0 is issued by CA: 40------------------------ 41 42$ openssl genrsa -out server0.key.rsa 2048 43$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt 44$ openssl req -new -key server0.key -out server0.csr 45 46When prompted for certificate information, everything is default except the 47common name which is set to *.test.google.com.au. 48 49$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \ 50 -out server0.pem -days 3650 51 52server1 is issued by CA with a special config for subject alternative names: 53---------------------------------------------------------------------------- 54 55$ openssl genrsa -out server1.key.rsa 2048 56$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt 57$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf 58 59When prompted for certificate information, everything is default except the 60common name which is set to *.test.google.com. 61 62$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \ 63 -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650 64 65multi-domain is a self-signed certificate having multiple subject alternative names: 66---------------------------------------------------------------------------- 67 68$ openssl genrsa -out multi-domain.key.rsa 2048 69$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt 70$ openssl req -new -key multi-domain.key -out multi-domain.csr -config 71multi-domain-openssl.cnf 72$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out 73multi-domain.pem -days 3650 -config multi-domain-openssl.cnf 74 75Clean up: 76--------- 77$ rm *.rsa 78$ rm *.csr 79$ rm ca.srl 80 81Sync up with other repositories 82=============================== 83 84Copies of these keys (except for multi-domain) exist in multiple locations across all the grpc repos 85(e.g., see the following partial list). You need to be careful when updating 86the keys. 87 88grpc-dart/interop/ 89grpc-dotnet/testassets/Certs/InteropTests/ 90grpc-go/testdata/ 91grpc-java/testing/src/main/resources/certs/ 92grpc-node/test/data/ 93src/csharp/Grpc.IntegrationTesting/data/ 94src/objective-c/tests/TestCertificates.bundle/ 95src/php/tests/data/ 96src/python/grpcio_tests/tests/interop/credentials/ 97src/python/grpcio_tests/tests/unit/credentials/ 98src/ruby/spec/testdata/ 99test/core/end2end/data/ 100