• Home
Name Date Size #Lines LOC

..--

BUILDD12-May-2024890 3229

READMED12-May-20244.4 KiB13497

badclient.keyD12-May-20241.7 KiB2928

badclient.pemD12-May-20241.3 KiB2322

badserver.keyD12-May-20241.7 KiB2928

badserver.pemD12-May-20241.3 KiB2322

ca-openssl.cnfD12-May-2024541 1815

ca.keyD12-May-20241.7 KiB2928

ca.pemD12-May-20241.2 KiB2120

client.keyD12-May-20241.7 KiB2928

client.pemD12-May-20241.1 KiB2120

client1.keyD12-May-20241.7 KiB2928

client1.pemD12-May-20241.1 KiB2120

client2.keyD12-May-20241.7 KiB2928

client2.pemD12-May-20241.1 KiB2120

multi-domain-openssl.cnfD12-May-2024879 3127

multi-domain.keyD12-May-20241.7 KiB2928

multi-domain.pemD12-May-20241.4 KiB2524

server0.keyD12-May-20241.7 KiB2928

server0.pemD12-May-20241.2 KiB2120

server1-openssl.cnfD12-May-2024790 2723

server1.keyD12-May-20241.7 KiB2928

server1.pemD12-May-20241.3 KiB2322

README

1The test credentials (CONFIRMEDTESTKEY) have been generated with the following
2commands:
3
4Bad credentials (badclient.* / badserver.*):
5============================================
6
7These are self-signed certificates:
8
9$ openssl req -x509 -newkey rsa:2048 -keyout badserver.key -out badserver.pem \
10  -days 3650 -nodes
11
12When prompted for certificate information, everything is default except the
13common name which is set to badserver.test.google.com.
14
15
16Valid test credentials:
17=======================
18
19The ca is self-signed:
20----------------------
21
22$ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \
23  -config ca-openssl.cnf -days 3650 -extensions v3_req
24When prompted for certificate information, everything is default.
25
26client is issued by CA:
27-----------------------
28
29$ openssl genrsa -out client.key.rsa 2048
30$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
31$ openssl req -new -key client.key -out client.csr
32
33When prompted for certificate information, everything is default except the
34common name which is set to testclient.
35
36$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \
37  -out client.pem -days 3650
38
39client1 is issued by CA:
40-----------------------
41
42$ openssl genrsa -out client1.key.rsa 2048
43$ openssl pkcs8 -topk8 -in client1.key.rsa -out client1.key -nocrypt
44$ openssl req -new -key client1.key -out client1.csr
45
46When prompted for certificate information, everything is default except the
47common name which is set to testclient1.
48
49$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client1.csr \
50  -out client1.pem -days 3650
51
52client2 is issued by CA:
53-----------------------
54
55$ openssl genrsa -out client2.key.rsa 2048
56$ openssl pkcs8 -topk8 -in client2.key.rsa -out client2.key -nocrypt
57$ openssl req -new -key client2.key -out client2.csr
58
59When prompted for certificate information, everything is default except the
60common name which is set to testclient2.
61
62$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client2.csr \
63  -out client2.pem -days 3650
64
65server0 is issued by CA:
66------------------------
67
68$ openssl genrsa -out server0.key.rsa 2048
69$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
70$ openssl req -new -key server0.key -out server0.csr
71
72When prompted for certificate information, everything is default except the
73common name which is set to *.test.google.com.au.
74
75$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \
76  -out server0.pem -days 3650
77
78server1 is issued by CA with a special config for subject alternative names:
79----------------------------------------------------------------------------
80
81$ openssl genrsa -out server1.key.rsa 2048
82$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
83$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf
84
85When prompted for certificate information, everything is default except the
86common name which is set to *.test.google.com.
87
88$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \
89  -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650
90
91multi-domain is a self-signed certificate having multiple subject alternative
92names:
93----------------------------------------------------------------------------
94
95$ openssl genrsa -out multi-domain.key.rsa 2048
96$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt
97$ openssl req -new -key multi-domain.key -out multi-domain.csr -config
98multi-domain-openssl.cnf
99$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out
100multi-domain.pem -days 3650 -config multi-domain-openssl.cnf
101
102Clean up:
103---------
104$ rm *.rsa
105$ rm *.csr
106$ rm ca.srl
107
108Sync up with other repositories
109===============================
110
111Copies of these keys exist in multiple locations across all the grpc repos
112(e.g., see the following partial list). You need to be careful when updating
113the keys.
114
115grpc-dart/interop/
116grpc-dotnet/testassets/Certs/InteropTests/
117grpc-go/testdata/
118grpc-java/testing/src/main/resources/certs/
119grpc-node/test/data/
120src/csharp/Grpc.IntegrationTesting/data/
121src/objective-c/tests/TestCertificates.bundle/
122src/php/tests/data/
123src/python/grpcio_tests/tests/interop/credentials/
124src/python/grpcio_tests/tests/unit/credentials/
125src/ruby/spec/testdata/
126test/core/end2end/data/
127
128The following keys/certs are not distributed through multiple grpc repos yet,
129since they are only used in grpc core tests:
130
131multi-domain.*
132client1.*
133client2.*
134