Following one of group member's help as below I was able to create SSL/TLS based client-server.
You need to mint the certificate for the same CN as you connect to. 1. Create a server private key. This is what the server needs to have, it's super-secret. 2. Create a server certificate with CN=localhost, self-signed. This is what the server and the client needs to have, it's public. 3. In the client, use the server certificate (*not* the key) as a "roots". This will tell your client to trust servers using that certificate - but only if the CN matches the address you connect to. 4.In the client, connect to localhost. At that time, gRPC only supported certificates created with hostname value for CN. Now that gRPC 1.4.x supports Subject Alternate Names (SAN), IP address can also be used to connect to server. But, I am having problem with SANs. The moment I supply the certificates created with SAN I get the following error. E0613 13:01:34.755411031 26365 ssl_transport_security.c:925] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. Greeter received: RPC failed Here is the process I used to create certificates mypass="pass123" echo Generate server key: openssl genrsa -passout pass:$mypass -des3 -out server.key 4096 echo Generate server signing request: openssl req -passin pass:$mypass -new -key server.key -out server.csr -config ssl.cfg echo Self-sign server certificate: openssl x509 -req -passin pass:$mypass -days 365 -in server.csr -signkey server.key -set_serial 01 -out server.crt -extension v3_req -extfile ssl.cfg echo Remove passphrase from server key: openssl rsa -passin pass:$mypass -in server.key -out server.key I am wondering what mistake did I do in the above key-certificate creation steps ? -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/9c0aa468-4614-465b-982f-d381bcdb96d7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
