/grpc-tls

Testing repo to validate all gRPC TLS options

Primary LanguageGoBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

gRPC TLS testing

Basic service to retrive user names based on their ID. This is just for TLS testing purposes.

Run

  • Server

    make run-server

  • Client

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1.

  1. Connect using the cert the Server provides during the TLS Handshake without verifying it.

    make run-client

  2. Connect using the cert the Server provides during the TLS Handshake and verify it.

    make run-client-noca

  3. Connect using the cert the Server provides during the TLS Handshake and verify it with a CA cert file provided.

    make run-client-ca

  4. Connect using a cert provided at runtime.

    make run-client-file

  • Help

    make

Generating TSL Certificates

You need these before running the examples. To create them run make cert. The certificates are valid for a year (-days 365). Below the step by step, for your reference.

  • CA Signed certificates

  1. Create Root signing Key

    openssl genrsa -out ca.key 4096

  2. Generate self-signed Root certificate

    openssl req -new -x509 -key ca.key -sha256 -subj "/C=US/ST=NJ/O=CA, Inc." -days 365 -out ca.cert

  3. Create a Key certificate for your service

    openssl genrsa -out service.key 4096

  4. Create signing CSR

    For local testing you can use '/CN=localhost'. For Online testing CN needs to be replaced with your gRPC Server, for example: '/CN=grpc.nleiva.com'. Include this in a config file (certificate.conf).

    openssl req -new -key service.key -out service.csr -config certificate.conf

  5. Generate a certificate for the service

    openssl x509 -req -in service.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out service.pem -days 365 -sha256 -extfile certificate.conf -extensions req_ext

  6. Verify

    openssl x509 -in service.pem -text -noout

Vault and Certify

See vault-cert.md for setup details.

  • Server

    make run-server-vault

  • Client

    export CAFILE="ca-vault.cert"
make run-client-ca

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1. Also, the name of the Vault's CA certificate file as CAFILE.

Running in Docker Containers

Build Docker images with make docker-build. You need to provide HOST and PORT as enviromental variables.

export HOST=grpc.nleiva.com
export PORT=443

  • Run the Docker Client image. Provide any ID.

    export ID=1
make run-docker-client

  • Run the Docker Server image

    make run-docker-server

Compiling protocol buffers

Run make proto.