• Home
Name Date Size #Lines LOC

..--

BUILDD22-Oct-20251 KiB3835

READMED22-Oct-20256.3 KiB171123

badclient.keyD22-Oct-20251.7 KiB2928

badclient.pemD22-Oct-20251.3 KiB2322

badserver.keyD22-Oct-20251.7 KiB2928

badserver.pemD22-Oct-20251.3 KiB2322

ca-openssl.cnfD22-Oct-2025541 1815

ca.keyD22-Oct-20251.7 KiB2928

ca.pemD22-Oct-20251.2 KiB2120

client-with-spiffe-openssl.cnfD22-Oct-2025305 1612

client-with-spiffe.keyD22-Oct-20251.7 KiB2928

client-with-spiffe.pemD22-Oct-20251.4 KiB2423

client.keyD22-Oct-20251.7 KiB2928

client.pemD22-Oct-20251.1 KiB2120

client1.keyD22-Oct-20251.7 KiB2928

client1.pemD22-Oct-20251.1 KiB2120

client2.keyD22-Oct-20251.7 KiB2928

client2.pemD22-Oct-20251.1 KiB2120

intermediate.cnfD22-Oct-2025303 1310

intermediate_ca.keyD22-Oct-20251.7 KiB2928

intermediate_ca.pemD22-Oct-20251.4 KiB2423

leaf_and_intermediate_chain.pemD22-Oct-20252.6 KiB4443

leaf_signed_by_intermediate.cnfD22-Oct-2025283 1310

leaf_signed_by_intermediate.keyD22-Oct-20251.7 KiB2928

leaf_signed_by_intermediate.pemD22-Oct-20251.2 KiB2120

malformed-cert.pemD22-Oct-20251.3 KiB2322

malformed-key.pemD22-Oct-20251.7 KiB2928

multi-domain-openssl.cnfD22-Oct-2025928 3430

multi-domain.keyD22-Oct-20251.7 KiB2928

multi-domain.pemD22-Oct-20251.4 KiB2524

server0.keyD22-Oct-20251.7 KiB2928

server0.pemD22-Oct-20251.2 KiB2120

server1-openssl.cnfD22-Oct-2025790 2723

server1.keyD22-Oct-20251.7 KiB2928

server1.pemD22-Oct-20251.3 KiB2322

README

1The test credentials (CONFIRMEDTESTKEY) have been generated with the following
2commands:
3
4Bad credentials (badclient.* / badserver.*):
5============================================
6
7These are self-signed certificates:
8
9$ openssl req -x509 -newkey rsa:2048 -keyout badserver.key -out badserver.pem \
10  -days 3650 -nodes
11
12When prompted for certificate information, everything is default except the
13common name which is set to badserver.test.google.com.
14
15
16Malformed credentials (malformed.*):
17=====================================
18
19These are invalid PEM blocks. They can be built by generating a valid
20PEM-encoded certificate or private key and deleting a random character in the
21body of the PEM-encoding.
22
23Valid test credentials:
24=======================
25
26The ca is self-signed:
27----------------------
28
29$ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \
30  -config ca-openssl.cnf -days 3650 -extensions v3_req
31When prompted for certificate information, everything is default.
32
33client is issued by CA:
34-----------------------
35
36$ openssl genrsa -out client.key.rsa 2048
37$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
38$ openssl req -new -key client.key -out client.csr
39
40When prompted for certificate information, everything is default except the
41common name which is set to testclient.
42
43$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \
44  -out client.pem -days 3650
45
46client1 is issued by CA:
47-----------------------
48
49$ openssl genrsa -out client1.key.rsa 2048
50$ openssl pkcs8 -topk8 -in client1.key.rsa -out client1.key -nocrypt
51$ openssl req -new -key client1.key -out client1.csr
52
53When prompted for certificate information, everything is default except the
54common name which is set to testclient1.
55
56$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client1.csr \
57  -out client1.pem -days 3650
58
59client2 is issued by CA:
60-----------------------
61
62$ openssl genrsa -out client2.key.rsa 2048
63$ openssl pkcs8 -topk8 -in client2.key.rsa -out client2.key -nocrypt
64$ openssl req -new -key client2.key -out client2.csr
65
66When prompted for certificate information, everything is default except the
67common name which is set to testclient2.
68
69$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client2.csr \
70  -out client2.pem -days 3650
71
72client-with-spiffe is issued by CA:
73-----------------------
74
75$ openssl genrsa -out client-with-spiffe.key.rsa 2048
76$ openssl pkcs8 -topk8 -in client-with-spiffe.key.rsa -out client-with-spiffe.key -nocrypt
77$ openssl req -new -key client-with-spiffe.key -out client-with-spiffe.csr -config client-with-spiffe-openssl.cnf
78$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client-with-spiffe.csr \
79  -out client-with-spiffe.pem -extensions v3_req -extfile client-with-spiffe-openssl.cnf -days 3650
80
81server0 is issued by CA:
82------------------------
83
84$ openssl genrsa -out server0.key.rsa 2048
85$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
86$ openssl req -new -key server0.key -out server0.csr
87
88When prompted for certificate information, everything is default except the
89common name which is set to *.test.google.com.au.
90
91$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \
92  -out server0.pem -days 3650
93
94server1 is issued by CA with a special config for subject alternative names:
95----------------------------------------------------------------------------
96
97$ openssl genrsa -out server1.key.rsa 2048
98$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
99$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf
100
101When prompted for certificate information, everything is default except the
102common name which is set to *.test.google.com.
103
104$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \
105  -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650
106
107multi-domain is a self-signed certificate having multiple subject alternative
108names:
109----------------------------------------------------------------------------
110
111$ openssl genrsa -out multi-domain.key.rsa 2048
112$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt
113$ openssl req -new -key multi-domain.key -out multi-domain.csr -config
114multi-domain-openssl.cnf
115$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out
116multi-domain.pem -days 3650 -config multi-domain-openssl.cnf
117
118
119Generate a chain with a leaf cert signed by an intermediate CA
120----------------------------------------------------------------------------
121
122The fully verified chain will be root_ca -> intermediate_ca -> leaf
123
124Generating the intermediate CA
125$ openssl genrsa -out temp.rsa 2048
126$ openssl pkcs8 -topk8 -in temp.rsa -out intermediate_ca.key -nocrypt
127$ rm temp.rsa
128$ openssl req -key intermediate_ca.key -new -out temp.csr -config intermediate.cnf
129$ openssl x509 -req -days 3650 -in temp.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out intermediate_ca.pem -extfile intermediate.cnf -extensions 'v3_req'
130
131Generating the leaf and chain
132$ openssl genrsa -out temp.rsa 2048
133$ openssl pkcs8 -topk8 -in temp.rsa -out leaf_signed_by_intermediate.key -nocrypt
134$ openssl req -key leaf_signed_by_intermediate.key -new -out temp.csr -config leaf_signed_by_intermediate.cnf
135$ openssl x509 -req -days 3650 -in temp.csr -CA intermediate_ca.pem -CAkey intermediate_ca.key -CAcreateserial -out leaf_signed_by_intermediate.pem -extfile leaf_signed_by_intermediate.cnf -extensions 'v3_req'
136$ cat leaf_signed_by_intermediate.pem intermediate_ca.pem > leaf_and_intermediate_chain.pem
137
138
139
140Clean up:
141---------
142$ rm *.rsa
143$ rm *.csr
144$ rm ca.srl
145
146Sync up with other repositories
147===============================
148
149Copies of these keys exist in multiple locations across all the grpc repos
150(e.g., see the following partial list). You need to be careful when updating
151the keys.
152
153grpc-dart/interop/
154grpc-dotnet/testassets/Certs/InteropTests/
155grpc-go/testdata/
156grpc-java/testing/src/main/resources/certs/
157grpc-node/test/data/
158src/objective-c/tests/TestCertificates.bundle/
159src/php/tests/data/
160src/python/grpcio_tests/tests/interop/credentials/
161src/python/grpcio_tests/tests/unit/credentials/
162src/ruby/spec/testdata/
163test/core/end2end/data/
164
165The following keys/certs are not distributed through multiple grpc repos yet,
166since they are only used in grpc core tests:
167
168multi-domain.*
169client1.*
170client2.*
171