Here's an example script I created for a side project a while ago - it works (or at least worked) so may be of use. I create a CA (private key, a csr to mint the CA root cert) and then create server and client certs for mutual TLS. Hopefully it helps: https://github.com/bensanmorris/firefly_grpc/blob/main/keys/create_certs.sh . You might want to omit certain fields (the OU field for instance).
On Thursday, 29 July 2021 at 17:12:39 UTC+1 chirag panchal wrote: > I'm facing a similar issue.Was this resolved by any means??? > > On Wednesday, June 14, 2017 at 1:50:53 AM UTC+5:30 AK wrote: > >> Following one of group member's help as below I was able to create >> SSL/TLS based client-server. >> >> You need to mint the certificate for the same CN as you connect to. >> >> 1. Create a server private key. This is what the server needs to have, it's >> super-secret. >> 2. Create a server certificate with CN=localhost, self-signed. This is >> what the server and the client needs to have, it's public. >> 3. In the client, use the server certificate (*not* the key) as a "roots" >> . This will tell your client to trust servers using that certificate - >> but only if the CN matches the address you connect to. >> 4.In the client, connect to localhost. >> >> >> At that time, gRPC only supported certificates created with hostname >> value for CN. Now that gRPC 1.4.x supports Subject Alternate Names (SAN), >> IP address can also be used to connect to server. But, I am having problem >> with SANs. The moment I supply the certificates created with SAN I get the >> following error. >> >> E0613 13:01:34.755411031 26365 ssl_transport_security.c:925] Handshake >> failed with fatal error SSL_ERROR_SSL: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. >> >> Greeter received: RPC failed >> >> Here is the process I used to create certificates >> >> mypass="pass123" >> >> echo Generate server key: >> >> openssl genrsa -passout pass:$mypass -des3 -out server.key 4096 >> >> >> echo Generate server signing request: >> >> openssl req -passin pass:$mypass -new -key server.key -out server.csr >> -config ssl.cfg >> >> >> echo Self-sign server certificate: >> >> openssl x509 -req -passin pass:$mypass -days 365 -in server.csr -signkey >> server.key -set_serial 01 -out server.crt -extension v3_req -extfile ssl.cfg >> >> >> echo Remove passphrase from server key: >> >> openssl rsa -passin pass:$mypass -in server.key -out server.key >> >> >> I am wondering what mistake did I do in the above key-certificate creation >> steps ? >> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/4bc54b60-2f05-4a48-bb87-89fd3a1776fcn%40googlegroups.com.
