Skip to content

Instantly share code, notes, and snippets.

@mping
Last active Oct 1, 2021
Embed
What would you like to do?
Certs

https://github.com/grpc/grpc-java/blob/master/testing/src/main/resources/certs/README

The test credentials (CONFIRMEDTESTKEY) have been generated with the following commands:

Bad credentials (badclient.* / badserver.*):

These are self-signed certificates:

$ openssl req -x509 -newkey rsa:2048 -keyout badserver.key -out badserver.pem \
  -days 3650 -nodes

When prompted for certificate information, everything is default except the common name which is set to badserver.test.google.com.

Valid test credentials:

The ca is self-signed:

    $ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \
      -config ca-openssl.cnf -days 3650 -extensions v3_req

When prompted for certificate information, everything is default.

client is issued by CA:

    $ openssl genrsa -out client.key.rsa 2048
    $ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
    $ openssl req -new -key client.key -out client.csr

When prompted for certificate information, everything is default except the common name which is set to testclient.

    $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr \
      -out client.pem -days 3650

server0 is issued by CA:

    $ openssl genrsa -out server0.key.rsa 2048
    $ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
    $ openssl req -new -key server0.key -out server0.csr

When prompted for certificate information, everything is default except the common name which is set to *.test.google.com.au.

    $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server0.csr \
      -out server0.pem -days 3650

server1 is issued by CA with a special config for subject alternative names:

    $ openssl genrsa -out server1.key.rsa 2048
    $ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
    $ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf

When prompted for certificate information, everything is default except the common name which is set to *.test.google.com.

    $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \
      -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650

Clean up:

    $ rm *.rsa
    $ rm *.csr
    $ rm ca.srl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment