The following script is what I used to generate the certificates
#!/bin/bash rm *.pem # Generate a self-signed CA certificate and private key openssl req -x509 -newkey rsa:4096 -days 3650 -keyout ca-key.pem -out ca-cert.pem -nodes -subj "/C=US/ST=California/O=Motive/OU=Embedded/CN=sc1-grpc-ca" # Display info on self-signed CA certificate openssl x509 -in ca-cert.pem -noout -text # Generate a server private key and CSR openssl req -newkey rsa:4096 -keyout kt-cam-key.pem -out kt-cam-req.pem -nodes -subj "/C=US/ST=California/O=Motive/OU=Embedded/CN=sc1-kt-cam" -addext "subjectAltName = IP:0.0.0.0" # Use the CA cert to sign the kt-cam server CSR openssl x509 -req -in kt-cam-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out kt-cam-cert.pem -days 3650 -extfile kt-cam-ext.cnf # Generate a client private key and CSR for kt_iot openssl req -newkey rsa:4096 -keyout kt-iot-key.pem -out kt-iot-req.pem -nodes -subj "/C=US/ST=California/O=Motive/OU=Embedded/CN=sc1-kt-iot" -addext "subjectAltName = IP:0.0.0.0" # Use the CA cert to sign the kt-iot client CSR openssl x509 -req -in kt-iot-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out kt-iot-cert.pem -days 3650 -extfile kt-iot-ext.cnf # Generate a client private key and CSR for kt_cli openssl req -newkey rsa:4096 -keyout kt-cli-key.pem -out kt-cli-req.pem -nodes -subj "/C=US/ST=California/O=Motive/OU=Embedded/CN=sc1-kt-cli" -addext "subjectAltName = IP:0.0.0.0" # Use the CA cert to sign the kt-cli client CSR openssl x509 -req -in kt-cli-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out kt-cli-cert.pem -days 3650 -extfile kt-cli-ext.cnf All the extension files look like this subjectAltName = IP:0.0.0.0 Thanks Kartik On Monday, September 12, 2022 at 1:51:39 PM UTC-7 Kartik Aiyer wrote: > Hello folks > > We have implemented a gRPC server on our embedded linux based camera and > have a couple of clients that are expected to run on both the camera itself > (so local loopback connection) as well as on host computers that are on the > same subnet as the camera. Both the server and clients are written in C++ > and use the gRPC C++ API. I’m trying to use mutual TLS so that only clients > written by us can connect to the server. > > I setup a self-signed root CA and used it to sign a server certificate and > client certificate (more than one client certificate since I have more than > one client). I’m not sure what is the best way to setup the certificate. > From what I understand that either the common name or > subjectAlternativeNames will be used to verify a connection in addition to > the signature with the root certificate. > Server > > - I can setup the camera’s hostname to something that will match the > common name in the certificate. Is this the recommended approach ? > > Client > > - I can’t set the hostnames of the clients, so I’m not sure what to > put in the common name for the server to verify. Any recommendation here ? > > Currently I’m using a subjectAlternativeName of IP:0.0.0.0 which allows > me to make calls over local loopback but its not usable over the network. > > I’m using SslCredentials and SslServerCredentials but I’m wondering if I > should be using the TlsCredentials and TlsServerCredentials with some > kind of of custom verification callback. I would appreciate any advice on > setting up the certificates appropriately for the usecase I have described. > > To summarize, the client is expected to connect to the cameras on the same > network and be able to use the remote API. > > Thanks > Kartik > > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/87e3c94e-2935-46c4-8bd7-fd407f9070d0n%40googlegroups.com.
