Have you looked at http://netty.io/wiki/sslcontextbuilder-and-private-key.html ?
I wasn't able to completely follow your directions (the last certstrap command failed), but comparing the keys in grpc-java/testing/src/main/resources/certs to those in certstrap generated I see: -----BEGIN PRIVATE KEY----- vs -----BEGIN RSA PRIVATE KEY----- Running openssl to convert the format as suggested by the netty documentation yielded BEGIN PRIVATE KEY. I didn't try running with it, but that looked promising. On Fri, Nov 3, 2017 at 8:23 AM, <[email protected]> wrote: > I have been at this for the better part of a couple of days and am at the > end of my rope. I am trying to generate readable keys for a JAVA grpc > server. I am using certstrap to generate the keys. Here is what I am doing: > > > certstrap init --common-name "GRPC" > certstrap request-cert --common-name server.com > certstrap sign sdl10236.labs.teradata.com --CA "GRPC" > I get the following output: > GRPC.crl, GRPC.crt, GRPC.key server.crt, server.csr, and server.key > Now the problem here is when I go to load the certificates and keys. The > source for reading the key in netty keeps saying that I do not have a valid > private key. > Exception in thread "main" java.lang.IllegalArgumentException: File does > not contain valid private key: /tmp/server.com.key5252344955683539009 > at io.netty.handler.ssl.SslContextBuilder.keyManager( > SslContextBuilder.java:267) > at io.netty.handler.ssl.SslContextBuilder.keyManager( > SslContextBuilder.java:222) > at io.netty.handler.ssl.SslContextBuilder.forServer( > SslContextBuilder.java:54) > at com.teradata.grpc.GrpcServer.serverBuilder(GrpcServer.java:152) > at com.teradata.grpc.GrpcServer.start(GrpcServer.java:69) > at com.teradata.grpc.GrpcServer.main(GrpcServer.java:111) > Caused by: java.security.KeyException: could not find a PKCS #8 private > key in input stream (see http://netty.io/wiki/ > sslcontextbuilder-and-private-key.html for more information) > at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:128) > at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:109) > at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014) > at io.netty.handler.ssl.SslContextBuilder.keyManager( > SslContextBuilder.java:265) > ... 5 more > Here is the code I am running: > this.clientContextBuilder = > GrpcSslContexts.configure(SslContextBuilder.forClient(), > this.sslProvider); > try { > this.serverCertFile = this.loadCert("sdt03134.labs. > teradata.com.crt"); > > this.serverPrivateKeyFile = this.loadCert("sdt03134.labs. > teradata.com.key"); > > this.serverTrustedCaCerts = new > X509Certificate[]{this.loadX509Cert("grpc.crt")}; > <-- the barfing happens here. > } catch (IOException ex) { > The following methods I borrowed from the java unit tests to create the > server: > private File loadCert(String name) throws IOException { > InputStream in = new > BufferedInputStream(GrpcServer.class.getResourceAsStream("/certs/" > + name)); > File tmpFile = File.createTempFile(name, ""); > tmpFile.deleteOnExit(); > > OutputStream os = new BufferedOutputStream(new > FileOutputStream(tmpFile)); > try { > int b; > while ((b = in.read()) != -1) { > os.write(b); > } > > os.flush(); > } finally { > in.close(); > os.close(); > } > > return tmpFile; > } > > private X509Certificate loadX509Cert(String fileName) throws > CertificateException, IOException { > CertificateFactory cf = CertificateFactory.getInstance("X.509"); > logger.info("" + fileName); > InputStream in = GrpcServer.class.getResourceAsStream("/certs/" + > fileName); > if (in != null) { > logger.info("Inputstream is defined."); > } > try { > return (X509Certificate) cf.generateCertificate(in); > } finally { > in.close(); > } > } > > private ServerBuilder<?> serverBuilder(int port, File > serverCertChainFile, > File serverPrivateKeyFile, X509Certificate[] > serverTrustedCaCerts) throws IOException { > SslContextBuilder sslContextBuilder = > SslContextBuilder.forServer(serverCertChainFile, > serverPrivateKeyFile); > GrpcSslContexts.configure(sslContextBuilder, sslProvider); > sslContextBuilder.trustManager(serverTrustedCaCerts). > clientAuth(ClientAuth.REQUIRE); > > return NettyServerBuilder.forPort(port).sslContext( > sslContextBuilder.build()); > } > > Any help would be appreciated here. Please do not reply with read the > docs. I have been there many times and they just do not provide enough > information to solve this problem. > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/grpc-io. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/grpc-io/be8e5ca0-b3d7-4088-bdaf-7c414b0da06e%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/be8e5ca0-b3d7-4088-bdaf-7c414b0da06e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oOSaz1HSQKaw%3DuK%3DAQqPOSU2RDWZdhKzG7B9ovO03v9WA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
