Hi Can any one tell me how to use -cacert

[sharooksubana]

When I try to run the grpc service method using grpcurl everything works fine but when I try to execute a command in grpcurl through 3rd party application it throws an error saying certificate signed by an unknown authority, I wanted to know which certificate to pass and how to pass to establish the Secured TLS

[kczulko]

@sharooksubana

I'll tell you what I did and what worked for me. First of all generate certificates as described here: https://lightbend.github.io/ssl-config/CertificateGeneration.html

It shows howto generate CA certificate which is later used to sign the server certificate. When you configure your server certificates the only thing you have to do is to supply appropriate cacert to grpcurl invocation. In case of aforementioned documentation, it will be exampleca.crt from this section.

Do not forget to add -ext "SAN=DNS:<put-your-server-address-here>" flag when generating certificates. Otherwise grcpurl will complain that CN is obsolete/deprecated (or sth like that).

[cavator]

@kczulko i don't think this have explained nothing at all

[jhump]

It is unclear from the description if you are using client cert authentication. If so, you need to use -cert and -key args. If you are doing that and the server is rejecting the connection due to not trusting the cert, the issue is the server's configuration for trusted certificate authorities (or you are just using an invalid client cert).

Also note that grpcurl requires all of these (client cert and key, or certificate authority certs) to be encoded in PEM format. So if you have certs in a different format, you will need to convert them to PEM (which can likely be done using openssl).