Some notes about the certs in this directory

Self-signing sample CA in rootCA., CA cert secret: “secret” Server cert for localhost signed by rootCA in localhost-server., no password for private key Client cert for a client to connect in client1.*, no password for private key

Certs used by MtlsGreeterServer.

Hitting the server from curl:

Hit it with no extras, will fail because server cert is self signed: curl -v https://localhost:8443/Test

Accept root CA for server cert, server denies access because no client cert: curl -v --cacert ./rootCA.crt https://localhost:8443/Test

Accept root CA for server cert, pass a client cert the server doesn't know, TLS error (exact error differs depending on underlying TLS impl): curl -v --key client1.key --cert bad-client.crt --cacert ./rootCA.crt https://localhost:8443/Test

Accept root CA for server cert, pass a cert the server accepts, 404 because no such route: curl -v --key client1.key --cert client1.crt --cacert ./rootCA.crt https://localhost:8443/Test

Re-creating the certs

Creating our own CA, specifying ‘secret’ as password and non-important values for the other properties when prompted,:

openssl req -x509 -sha256 -days 36500 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt

Server key and key signing request, localhost for Common Name when prompted, empty challenge password:

openssl req -newkey rsa:2048 -nodes -keyout localhost-server.key -out localhost-server.csr

Sign server cert with our own CA (note that domain.ext is a manually created text file), use CA password secret from above:

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in localhost-server.csr -out localhost-server.crt -days 36500 -CAcreateserial -extfile domain.ext

We now have localhost-server.crt and localhost-server.key for the server, and rootCA.crt for verifying that keypair.

Same for client, no password, set a common name, but value isn't really important:

openssl req -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr

Sign it:

openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in client1.csr -out client1.crt -days 36500 -CAcreateserial

We now have client1.crt and client1.key for the client.

Additional non CA-signed certs for testing key pair that the server does not agree to:

openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout bad-client.key -out bad-client.crt