Creating client certificates for connection through the API

To create client certificates:

  1. Obtain from the user the name of the computer for which a client certificate must be created.
  2. Obtain from the user a certificate signing request for the client computer.

    If you must independently create a private key for the client and CSR, you can use the OpenSSL tool. To do so, enter the following commands:

    openssl genrsa -des3 -out client.key 4096

    openssl req -new -key client.key -out client.csr

  3. Create a certificate based on the obtained CSR using the root certificate and private key of the gRPC server. The certificate must be created in the name of the client computer that will be used to establish a connection (see step 1).

    For the created certificate, in the settings of the OpenSSL tool specify the certificate validity period in days (the days setting) and the serial number of the certificate (the set_serial setting). Example command for creating a certificate:

    openssl x509 -req -days 365 -in client.csr \

    -CA product_facade_grpc_ca.crt \

    -CAkey product_facade_grpc_ca.key \

    -set_serial 01 -out client.crt

  4. Create a certificate chain that includes the root certificate of the gRPC server into the final client certificate.

    If you are using intermediate certificates, they must also be included in the chain. To create a certificate chain, enter the following command:

    cat product_facade_grpc_ca.crt >> client.crt

  5. Provide the following certificates and keys to the user of the client application:
    • gRPC server certificate (the file named product_facade_grpc_server.crt).
    • Private key of the client (the file client.key).

      This file needs to be sent only when the private key of the client has been created by the administrator.

    • Certificate chain or client certificate (the file client.crt).

      This file includes the certificate chain, beginning with the signed client certificate and ending with the root certificate of the gRPC server.

    • If a client certificate must be sent separately, also send the root certificate of the gRPC server (the file product_facade_grpc_ca.crt) and all intermediate certificates if they are being used.
Page top