crypto.txt

# adapted with thanks from:
# https://medium.com/@ankitgrg.26/generate-a-self-signed-certificate-for-grpc-java-56323df05be4

# output files
# ============
# ca.crt: Certificate Authority (CA) or "trust manager" certificate
# server.crt: Server certificate signed by CA
# server.pem: Server key in format gRPC likes
# client.crt: Client certificate signed by CA
# client.pem: Client key in format gRPC likes

# Change this CN to match host(s) in your environment if needed
SERVER_CN=localhost

# Step 1: generate (ca.crt)
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=${SERVER_CN}"

# Step 2: generate server private key (server.key)
openssl genrsa -passout pass:1111 -des3 -out server.key 4096

# Step 3: get server certificate signing request from CA (server.csr)
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}"

# Step 4: self-sign server certificate using CA (server.crt)
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Step 5: convert server private key to .pem format (server.pem)
openssl pkcs8 -topk8 -nocrypt -passin pass:1111 -in server.key -out server.pem

# Step 6: generate client private key (client.key)
openssl genrsa -passout pass:1111 -des3 -out client.key 4096

# Step 7: get client certificate signing request from CA (client.csr)
openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/CN=${SERVER_CN}"

# Step 8: self-sign client certificate using CA (client.crt)
openssl x509 -req -passin pass:1111 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

# Step 9: convert client private key to .pem format (client.pem)
openssl pkcs8 -topk8 -nocrypt -passin pass:1111 -in client.key -out client.pem