• Home
Name Date Size #Lines LOC

..--

BUILDD04-Jul-20251,015 3633

READMED04-Jul-20256 KiB164118

badclient.keyD04-Jul-20251.7 KiB2928

badclient.pemD04-Jul-20251.3 KiB2322

badserver.keyD04-Jul-20251.7 KiB2928

badserver.pemD04-Jul-20251.3 KiB2322

ca-openssl.cnfD04-Jul-2025541 1815

ca.keyD04-Jul-20251.7 KiB2928

ca.pemD04-Jul-20251.2 KiB2120

client-with-spiffe-openssl.cnfD04-Jul-2025305 1612

client-with-spiffe.keyD04-Jul-20251.7 KiB2928

client-with-spiffe.pemD04-Jul-20251.4 KiB2423

client.keyD04-Jul-20251.7 KiB2928

client.pemD04-Jul-20251.1 KiB2120

client1.keyD04-Jul-20251.7 KiB2928

client1.pemD04-Jul-20251.1 KiB2120

client2.keyD04-Jul-20251.7 KiB2928

client2.pemD04-Jul-20251.1 KiB2120

intermediate.cnfD04-Jul-2025303 1310

intermediate_ca.keyD04-Jul-20251.7 KiB2928

intermediate_ca.pemD04-Jul-20251.4 KiB2423

leaf_and_intermediate_chain.pemD04-Jul-20252.6 KiB4443

leaf_signed_by_intermediate.cnfD04-Jul-2025283 1310

leaf_signed_by_intermediate.keyD04-Jul-20251.7 KiB2928

leaf_signed_by_intermediate.pemD04-Jul-20251.2 KiB2120

multi-domain-openssl.cnfD04-Jul-2025928 3430

multi-domain.keyD04-Jul-20251.7 KiB2928

multi-domain.pemD04-Jul-20251.4 KiB2524

server0.keyD04-Jul-20251.7 KiB2928

server0.pemD04-Jul-20251.2 KiB2120

server1-openssl.cnfD04-Jul-2025790 2723

server1.keyD04-Jul-20251.7 KiB2928

server1.pemD04-Jul-20251.3 KiB2322

README

1The test credentials (CONFIRMEDTESTKEY) have been generated with the following
2commands:
3
4Bad credentials (badclient.* / badserver.*):
5============================================
6
7These are self-signed certificates:
8
9$ openssl req -x509 -newkey rsa:2048 -keyout badserver.key -out badserver.pem \
10  -days 3650 -nodes
11
12When prompted for certificate information, everything is default except the
13common name which is set to badserver.test.google.com.
14
15
16Valid test credentials:
17=======================
18
19The ca is self-signed:
20----------------------
21
22$ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \
23  -config ca-openssl.cnf -days 3650 -extensions v3_req
24When prompted for certificate information, everything is default.
25
26client is issued by CA:
27-----------------------
28
29$ openssl genrsa -out client.key.rsa 2048
30$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
31$ openssl req -new -key client.key -out client.csr
32
33When prompted for certificate information, everything is default except the
34common name which is set to testclient.
35
36$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \
37  -out client.pem -days 3650
38
39client1 is issued by CA:
40-----------------------
41
42$ openssl genrsa -out client1.key.rsa 2048
43$ openssl pkcs8 -topk8 -in client1.key.rsa -out client1.key -nocrypt
44$ openssl req -new -key client1.key -out client1.csr
45
46When prompted for certificate information, everything is default except the
47common name which is set to testclient1.
48
49$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client1.csr \
50  -out client1.pem -days 3650
51
52client2 is issued by CA:
53-----------------------
54
55$ openssl genrsa -out client2.key.rsa 2048
56$ openssl pkcs8 -topk8 -in client2.key.rsa -out client2.key -nocrypt
57$ openssl req -new -key client2.key -out client2.csr
58
59When prompted for certificate information, everything is default except the
60common name which is set to testclient2.
61
62$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client2.csr \
63  -out client2.pem -days 3650
64
65client-with-spiffe is issued by CA:
66-----------------------
67
68$ openssl genrsa -out client-with-spiffe.key.rsa 2048
69$ openssl pkcs8 -topk8 -in client-with-spiffe.key.rsa -out client-with-spiffe.key -nocrypt
70$ openssl req -new -key client-with-spiffe.key -out client-with-spiffe.csr -config client-with-spiffe-openssl.cnf
71$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client-with-spiffe.csr \
72  -out client-with-spiffe.pem -extensions v3_req -extfile client-with-spiffe-openssl.cnf -days 3650
73
74server0 is issued by CA:
75------------------------
76
77$ openssl genrsa -out server0.key.rsa 2048
78$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
79$ openssl req -new -key server0.key -out server0.csr
80
81When prompted for certificate information, everything is default except the
82common name which is set to *.test.google.com.au.
83
84$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \
85  -out server0.pem -days 3650
86
87server1 is issued by CA with a special config for subject alternative names:
88----------------------------------------------------------------------------
89
90$ openssl genrsa -out server1.key.rsa 2048
91$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
92$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf
93
94When prompted for certificate information, everything is default except the
95common name which is set to *.test.google.com.
96
97$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \
98  -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650
99
100multi-domain is a self-signed certificate having multiple subject alternative
101names:
102----------------------------------------------------------------------------
103
104$ openssl genrsa -out multi-domain.key.rsa 2048
105$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt
106$ openssl req -new -key multi-domain.key -out multi-domain.csr -config
107multi-domain-openssl.cnf
108$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out
109multi-domain.pem -days 3650 -config multi-domain-openssl.cnf
110
111
112Generate a chain with a leaf cert signed by an intermediate CA
113----------------------------------------------------------------------------
114
115The fully verified chain will be root_ca -> intermediate_ca -> leaf
116
117Generating the intermediate CA
118$ openssl genrsa -out temp.rsa 2048
119$ openssl pkcs8 -topk8 -in temp.rsa -out intermediate_ca.key -nocrypt
120$ rm temp.rsa
121$ openssl req -key intermediate_ca.key -new -out temp.csr -config intermediate.cnf
122$ openssl x509 -req -days 3650 -in temp.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out intermediate_ca.pem -extfile intermediate.cnf -extensions 'v3_req'
123
124Generating the leaf and chain
125$ openssl genrsa -out temp.rsa 2048
126$ openssl pkcs8 -topk8 -in temp.rsa -out leaf_signed_by_intermediate.key -nocrypt
127$ openssl req -key leaf_signed_by_intermediate.key -new -out temp.csr -config leaf_signed_by_intermediate.cnf
128$ openssl x509 -req -days 3650 -in temp.csr -CA intermediate_ca.pem -CAkey intermediate_ca.key -CAcreateserial -out leaf_signed_by_intermediate.pem -extfile leaf_signed_by_intermediate.cnf -extensions 'v3_req'
129$ cat leaf_signed_by_intermediate.pem intermediate_ca.pem > leaf_and_intermediate_chain.pem
130
131
132
133Clean up:
134---------
135$ rm *.rsa
136$ rm *.csr
137$ rm ca.srl
138
139Sync up with other repositories
140===============================
141
142Copies of these keys exist in multiple locations across all the grpc repos
143(e.g., see the following partial list). You need to be careful when updating
144the keys.
145
146grpc-dart/interop/
147grpc-dotnet/testassets/Certs/InteropTests/
148grpc-go/testdata/
149grpc-java/testing/src/main/resources/certs/
150grpc-node/test/data/
151src/objective-c/tests/TestCertificates.bundle/
152src/php/tests/data/
153src/python/grpcio_tests/tests/interop/credentials/
154src/python/grpcio_tests/tests/unit/credentials/
155src/ruby/spec/testdata/
156test/core/end2end/data/
157
158The following keys/certs are not distributed through multiple grpc repos yet,
159since they are only used in grpc core tests:
160
161multi-domain.*
162client1.*
163client2.*
164