Skip to content
Testing repo to validate all gRPC TLS options
Go Makefile Dockerfile HCL
Branch: master
Clone or download
Latest commit 78e6b83 Jul 22, 2019

README.md

gRPC TLS testing

Basic service to retrive user names based on their ID. This is just for TLS testing purposes.

Run

  • Server

    make run-server
  • Client

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1.

  1. Connect using the cert the Server provides during the TLS Handshake without verifying it.

    make run-client
  2. Connect using the cert the Server provides during the TLS Handshake and verify it.

    make run-client-noca
  3. Connect using the cert the Server provides during the TLS Handshake and verify it with a CA cert file provided.

    make run-client-ca
  4. Connect using a cert provided at runtime.

    make run-client-file
  • Help

    make

Generating TSL Certificates

You need these before running the examples. To create them run make cert. The certificates are valid for a year (-days 365). Below the step by step, for your reference.

  • CA Signed certificates
  1. Create Root signing Key

    openssl genrsa -out ca.key 4096
  2. Generate self-signed Root certificate

    openssl req -new -x509 -key ca.key -sha256 -subj "/C=US/ST=NJ/O=CA, Inc." -days 365 -out ca.cert
  3. Create a Key certificate for your service

    openssl genrsa -out service.key 4096
  4. Create signing CSR

    For local testing you can use '/CN=localhost'. For Online testing CN needs to be replaced with your gRPC Server, for example: '/CN=grpc.nleiva.com'. Include this in a config file (certificate.conf).

    openssl req -new -key service.key -out service.csr -config certificate.conf
  5. Generate a certificate for the service

    openssl x509 -req -in service.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out service.pem -days 365 -sha256 -extfile certificate.conf -extensions req_ext
  6. Verify

    openssl x509 -in service.pem -text -noout

Vault and Certify

See vault-cert.md for setup details.

  • Server

    make run-server-vault
  • Client

    export CAFILE="ca-vault.cert"
    make run-client-ca

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1. Also, the name of the Vault's CA certificate file as CAFILE.

Running in Docker Containers

Build Docker images with make docker-build. You need to provide HOST and PORT as enviromental variables.

export HOST=grpc.nleiva.com
export PORT=443
  • Run the Docker Client image. Provide any ID.

    export ID=1
    make run-docker-client
  • Run the Docker Server image

    make run-docker-server

Compiling protocol buffers

Run make proto.

You can’t perform that action at this time.