证书 私钥准备
生成(根)私钥和公钥
openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.pem -subj /O=me
- ca.key is a private key
- ca.pem is a public certificate
服务端
openssl req -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj /CN=whatever -days 36500 && openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -days 36500 -set_serial 1 -out server.pem -extfile <(echo "subjectAltName=DNS:myServerName")
注意 DNS:myServerName, myServerName 在 客户端连接时指定使用
- server.key is the server’s private key.
- server.csr is an intermediate file.
- server.pem is the server’s public certificate.
客户端
openssl req -nodes -newkey rsa:4096 -days 36500 -subj /CN=marketplace -keyout client.key -out client.csr && openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -days 36500 -set_serial 1 -out client.pem
- client.key
- client.pem
###代码
服务端(py)
def serve():
server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
recommendations_pb2_grpc.add_RecommendationsServicer_to_server(
RecommendationService(), server
)
with open("server.key", "rb") as fp:
server_key = fp.read()
with open("server.pem", "rb") as fp:
server_cert = fp.read()
with open("ca.pem", "r") as fp:
SslCaPem = fp.read()
creds = grpc.ssl_server_credentials(
[(server_key, server_cert)], # 加密
root_certificates=bytes(SslCaPem.encode()), # 认证
require_client_auth=True, # 认证
)
server.add_secure_port("[::]:443", creds)
server.start()
server.wait_for_termination()
客户端(go)
clientPem := "clientPemStr"
clientKey := "clientKeyStr"
caPem := "caPemStr" # 根证书
// tls.Config中的 ServerName用到生成服务端公钥时指定的
certificates, err := tls.X509KeyPair([]byte(clientPem), []byte(clientKey))
if err != nil {
log.D().Errorf("failed to load clientPem clientKey",)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM([]byte(caPem)) {
log.D().Error("failed to append CA certificate")
}
tlsConfig := &tls.Config{
RootCAs: certPool, // 认证服务端使用
ServerName: "myServerName", // 验证对方的(如有变动 需重新生成服务端证书 SAN中的 dns 一起更改)
Certificates: []tls.Certificate{certificates}, // 客户端证书
}
creds := credentials.NewTLS(tlsConfig)
addr := fmt.Sprintf("%s:%d", ip, conf.Default().Grpc.ServerPort)
conn, err := grpc.Dial(
addr,
grpc.WithTransportCredentials(creds),
}