From 7e1b829343832d261fcfefc4587a795a975dec7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciej@defguard.net>
Date: Tue, 14 Apr 2026 11:26:31 +0200
Subject: [PATCH 1/2] send core certs during component setup

---
 v2/common.proto  | 17 +++++++++++++++++
 v2/gateway.proto |  2 +-
 v2/proxy.proto   |  2 +-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/v2/common.proto b/v2/common.proto
index 127b9eb..e8d7866 100644
--- a/v2/common.proto
+++ b/v2/common.proto
@@ -25,3 +25,20 @@ message LogEntry {
   string timestamp = 4;
   map<string, string> fields = 5;
 }
+
+/*
+ * TLS certificate bundle sent from Core to a component during setup.
+ * All fields are DER-encoded binary.
+ *
+ * component_cert_der   - the component's signed server certificate.
+ * ca_cert_der          - the CA certificate; used by the component to verify
+ *                        Core's client certificate chain during mTLS.
+ * core_client_cert_der - Core's client certificate; stored by the component
+ *                        and used to pin the exact cert Core must present on
+ *                        every subsequent gRPC connection.
+ */
+message CertBundle {
+  bytes component_cert_der   = 1;
+  bytes ca_cert_der          = 2;
+  bytes core_client_cert_der = 3;
+}
diff --git a/v2/gateway.proto b/v2/gateway.proto
index 380bb11..8b15750 100644
--- a/v2/gateway.proto
+++ b/v2/gateway.proto
@@ -98,5 +98,5 @@ service Gateway {
 service GatewaySetup {
   rpc Start(google.protobuf.Empty) returns (stream defguard.common.v2.LogEntry);
   rpc GetCsr(defguard.common.v2.CertificateInfo) returns (defguard.common.v2.DerPayload);
-  rpc SendCert(defguard.common.v2.DerPayload) returns (google.protobuf.Empty);
+  rpc SendCert(defguard.common.v2.CertBundle) returns (google.protobuf.Empty);
 }
diff --git a/v2/proxy.proto b/v2/proxy.proto
index f4e17b1..ba4bf51 100644
--- a/v2/proxy.proto
+++ b/v2/proxy.proto
@@ -226,5 +226,5 @@ service Proxy {
 service ProxySetup {
   rpc Start(google.protobuf.Empty) returns (stream defguard.common.v2.LogEntry);
   rpc GetCsr(defguard.common.v2.CertificateInfo) returns (defguard.common.v2.DerPayload);
-  rpc SendCert(defguard.common.v2.DerPayload) returns (google.protobuf.Empty);
+  rpc SendCert(defguard.common.v2.CertBundle) returns (google.protobuf.Empty);
 }

From 69d79c50b60f001d1d5d75249fab89954a7f674c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciej@defguard.net>
Date: Thu, 16 Apr 2026 11:04:37 +0200
Subject: [PATCH 2/2] formatting

---
 v2/common.proto | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/v2/common.proto b/v2/common.proto
index e8d7866..b40126f 100644
--- a/v2/common.proto
+++ b/v2/common.proto
@@ -38,7 +38,7 @@ message LogEntry {
  *                        every subsequent gRPC connection.
  */
 message CertBundle {
-  bytes component_cert_der   = 1;
-  bytes ca_cert_der          = 2;
+  bytes component_cert_der = 1;
+  bytes ca_cert_der = 2;
   bytes core_client_cert_der = 3;
 }