gRPC sslcontext config

924 views Asked by At

I am new to gRPC. What I am trying to do is to send a ssl gRPC call from a client to a server. My question is the 'certFile' in the following code a client cert or server cert? If it's a client cert, do I need to add the server cert to my trust list or do I need to add the client cert to the server's trust list before I make the call? Appreciate your help.
   SslContext sslcontext = GrpcSslContexts.forClient()
        .trustManager(caFile)
        .keyManager(certFile, keyFile) 
        .build();
1

There are 1 answers

3
Eric Anderson On BEST ANSWER

trustManager and keyManager are reciprocal across client/server; the client's trust manager needs to trust the server's key manager and the server's trust manager needs to trust the client's key manager (if using client certs). The only difference between client and server is the server must have a key manager and the client must have a trust manager. If you don't specify a trust manager for the client, a default will be used.

The trust manager is basically the Certificate Authorities that are trusted (independent of client or server). Key managers contain the identity certificate and the private key to prove that identity.

So keyManager on client-side is for a client certificate. You would need to configure the trustManager on server-side to trust that certificate: either include the certificate itself or, better, the Certificate Authority that signed the client's certificate. You can generally leave the client's trust manager as the default.

Note that the client will only send its certificate if the server requests it. So you need to configure the server to OPTIONALly or REQUIRE the client certificate:

sslContextBuilder.clientAuth(ClientAuth.REQUIRE);