1The test credentials (CONFIRMEDTESTKEY) have been generated with the following 2commands: 3 4Bad credentials (badclient.* / badserver.*): 5============================================ 6 7These are self-signed certificates: 8 9$ openssl req -x509 -newkey rsa:2048 -keyout badserver.key -out badserver.pem \ 10 -days 3650 -nodes 11 12When prompted for certificate information, everything is default except the 13common name which is set to badserver.test.google.com. 14 15 16Valid test credentials: 17======================= 18 19The ca is self-signed: 20---------------------- 21 22$ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \ 23 -config ca-openssl.cnf -days 3650 -extensions v3_req 24When prompted for certificate information, everything is default. 25 26client is issued by CA: 27----------------------- 28 29$ openssl genrsa -out client.key.rsa 2048 30$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt 31$ openssl req -new -key client.key -out client.csr 32 33When prompted for certificate information, everything is default except the 34common name which is set to testclient. 35 36$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \ 37 -out client.pem -days 3650 38 39client1 is issued by CA: 40----------------------- 41 42$ openssl genrsa -out client1.key.rsa 2048 43$ openssl pkcs8 -topk8 -in client1.key.rsa -out client1.key -nocrypt 44$ openssl req -new -key client1.key -out client1.csr 45 46When prompted for certificate information, everything is default except the 47common name which is set to testclient1. 48 49$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client1.csr \ 50 -out client1.pem -days 3650 51 52client2 is issued by CA: 53----------------------- 54 55$ openssl genrsa -out client2.key.rsa 2048 56$ openssl pkcs8 -topk8 -in client2.key.rsa -out client2.key -nocrypt 57$ openssl req -new -key client2.key -out client2.csr 58 59When prompted for certificate information, everything is default except the 60common name which is set to testclient2. 61 62$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client2.csr \ 63 -out client2.pem -days 3650 64 65server0 is issued by CA: 66------------------------ 67 68$ openssl genrsa -out server0.key.rsa 2048 69$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt 70$ openssl req -new -key server0.key -out server0.csr 71 72When prompted for certificate information, everything is default except the 73common name which is set to *.test.google.com.au. 74 75$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \ 76 -out server0.pem -days 3650 77 78server1 is issued by CA with a special config for subject alternative names: 79---------------------------------------------------------------------------- 80 81$ openssl genrsa -out server1.key.rsa 2048 82$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt 83$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf 84 85When prompted for certificate information, everything is default except the 86common name which is set to *.test.google.com. 87 88$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \ 89 -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650 90 91multi-domain is a self-signed certificate having multiple subject alternative 92names: 93---------------------------------------------------------------------------- 94 95$ openssl genrsa -out multi-domain.key.rsa 2048 96$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt 97$ openssl req -new -key multi-domain.key -out multi-domain.csr -config 98multi-domain-openssl.cnf 99$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out 100multi-domain.pem -days 3650 -config multi-domain-openssl.cnf 101 102Clean up: 103--------- 104$ rm *.rsa 105$ rm *.csr 106$ rm ca.srl 107 108Sync up with other repositories 109=============================== 110 111Copies of these keys exist in multiple locations across all the grpc repos 112(e.g., see the following partial list). You need to be careful when updating 113the keys. 114 115grpc-dart/interop/ 116grpc-dotnet/testassets/Certs/InteropTests/ 117grpc-go/testdata/ 118grpc-java/testing/src/main/resources/certs/ 119grpc-node/test/data/ 120src/csharp/Grpc.IntegrationTesting/data/ 121src/objective-c/tests/TestCertificates.bundle/ 122src/php/tests/data/ 123src/python/grpcio_tests/tests/interop/credentials/ 124src/python/grpcio_tests/tests/unit/credentials/ 125src/ruby/spec/testdata/ 126test/core/end2end/data/ 127 128The following keys/certs are not distributed through multiple grpc repos yet, 129since they are only used in grpc core tests: 130 131multi-domain.* 132client1.* 133client2.* 134