github.com/ronanmacf/grpc-go/security/advancedtls

About This Directory

This testdata directory contains the certificates used in the tests of package advancedtls.

How to Generate Test Certificates Using OpenSSL

Supposing we are going to create a subject_cert.pem that is trusted by ca_cert.pem, here are the commands we run:

• Generate the private key, ca_key.pem, and the cert ca_cert.pem, for the CA:

  $ openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -nodes -days $DURATION_DAYS
  

• Generate a private key subject_key.pem for the subject:

  $ openssl genrsa -out subject_key.pem 4096
  

• Generate a CSR csr.pem using subject_key.pem:

  $ openssl req -new -key subject_key.pem -out csr.pem
  

  For some cases, we might want to add some extra SAN fields in subject_cert.pem. In those cases, we can create a configuration file(for example, localhost-openssl.cnf), and do the following:

  $ openssl req -new -key subject_key.pem -out csr.pem -config $CONFIG_FILE_NAME
  

• Use ca_key.pem and ca_cert.pem to sign csr.pem, and get a certificate, subject_cert.pem, for the subject:

  This step requires some additional configuration steps and please check out this answer from StackOverflow for more.

  $ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out subject_cert.pem -in csr.pem -keyfile ca_key.pem -cert ca_cert.pem
  

  Please see an example configuration template at openssl-ca.cnf.

• Verify the subject_cert.pem is trusted by ca_cert.pem:

  $ openssl verify -verbose -CAfile ca_cert.pem  subject_cert.pem