CERTIFICATES.md 1.9 KB
gRPC TLS Certificate Generation Guide
This guide explains how to generate the necessary TLS certificates for securing gRPC communication between client and server.
Overview
The script generates the following certificates and keys:
- Certificate Authority (CA) certificate and key
- Server certificate and key
- Client certificate and key
All certificates are generated in PEM format, which is commonly used in Unix/Linux systems.
Prerequisites
- OpenSSL installed on your system
- Bash shell environment
Generated Files
The script will create the following files:
ca.key- Certificate Authority private keyca.pem- Certificate Authority certificateserver.key- Server private keyserver.pem- Server certificateclient.key- Client private keyclient.pem- Client certificate
Usage
Make the script executable:
chmod +x generate_certs.shRun the script:
./generate_certs.sh
Certificate Details
Certificate Authority (CA)
- 4096-bit RSA key
- Valid for 365 days
- Used to sign both server and client certificates
Server Certificate
- 4096-bit RSA key
- Valid for 365 days
- Includes Subject Alternative Names (SAN):
- DNS: localhost
- DNS: my-server
- IP: 127.0.0.1
Client Certificate
- 4096-bit RSA key
- Valid for 365 days
- Used for client authentication
Verification
The script includes verification steps to ensure the certificates are properly generated:
# Verify server certificate
openssl verify -CAfile ca.pem server.pem
# Verify client certificate
openssl verify -CAfile ca.pem client.pem
Security Notes
- Keep private keys (*.key files) secure and never share them
- The CA certificate (ca.pem) needs to be distributed to both client and server
- Server needs:
- server.key
- server.pem
- ca.pem
- Client needs:
- client.key
- client.pem
- ca.pem