# gRPC TLS Certificate Generation Guide
This guide explains how to generate the necessary TLS certificates for securing gRPC communication between client and server.
## Overview
The script generates the following certificates and keys:
- Certificate Authority (CA) certificate and key
- Server certificate and key
- Client certificate and key
All certificates are generated in PEM format, which is commonly used in Unix/Linux systems.
## Prerequisites
- OpenSSL installed on your system
- Bash shell environment
## Generated Files
The script will create the following files:
- `ca.key` - Certificate Authority private key
- `ca.pem` - Certificate Authority certificate
- `server.key` - Server private key
- `server.pem` - Server certificate
- `client.key` - Client private key
- `client.pem` - Client certificate
## Usage
1. Make the script executable:
```bash
chmod +x generate_certs.sh
```
2. Run the script:
```bash
./generate_certs.sh
```
## Certificate Details
### Certificate Authority (CA)
- 4096-bit RSA key
- Valid for 365 days
- Used to sign both server and client certificates
### Server Certificate
- 4096-bit RSA key
- Valid for 365 days
- Includes Subject Alternative Names (SAN):
- DNS: localhost
- DNS: my-server
- IP: 127.0.0.1
### Client Certificate
- 4096-bit RSA key
- Valid for 365 days
- Used for client authentication
## Verification
The script includes verification steps to ensure the certificates are properly generated:
```bash
# Verify server certificate
openssl verify -CAfile ca.pem server.pem
# Verify client certificate
openssl verify -CAfile ca.pem client.pem
```
## Security Notes
1. Keep private keys (*.key files) secure and never share them
2. The CA certificate (ca.pem) needs to be distributed to both client and server
3. Server needs:
- server.key
- server.pem
- ca.pem
4. Client needs:
- client.key
- client.pem
- ca.pem