https://github.com/grpc/grpc-java/blob/master/testing/src/main/resources/certs/README
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \
-config ca-openssl.cnf -days 3650 -extensions v3_req \
-addext "subjectAltName = DNS:localhost,DNS:nginx"
When prompted for certificate information, everything is default.
openssl genrsa -out client.key.rsa 2048
openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
openssl req -new -key client.key -out client.csr
When prompted for certificate information, everything is default except the
common name which is set to testclient
.
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \
-out client.pem -days 3650
openssl genrsa -out server0.key.rsa 2048
openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
openssl req -new -key server0.key -out server0.csr
When prompted for certificate information, everything is default except the
common name which is set to localhost
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \
-out server0.pem -days 3650 -extfile <(printf "subjectAltName=@alternate_names\n[ alternate_names ]\nDNS.1=localhost\nDNS.2=nginx")
openssl rsa -in server0.key -out server0.key.rsa
openssl pkcs8 -nocrypt -in client.key -out client.key.pem
openssl pkcs8 -topk8 -inform PEM -outform DER -in client.key.pem -out client.key.pem.bin -nocrypt
rm *.rsa; rm *.csr; rm ca.srl
openssl s_client -CAfile ca.pem -cert client.pem -key client.key -showcerts -connect localhost:4318
curl --cacert ca.pem --cert client.pem --key client.key localhost:4318
openssl x509 -noout -ext subjectAltName -in server0.pem
Be generous with perms because life is too short. In prod be strict.
;; in certs dir
chmod 644 *
If you seem errors such as:
ERROR 2026 (HY000): SSL connection error: The certificate and the given key do not match.
it means the private key doesn't match the certificate. To verify:
❯ openssl rsa -noout -modulus -in server0.key | openssl md5
(stdin)= 8919698fe70ee10044ca5ff885a0e24f
❯ openssl x509 -noout -modulus -in server0.pem | openssl md5
(stdin)= 8919698fe70ee10044ca5ff885a0e24f