如何在双向 TLS/gRPC 中包含颁发/中间 CA 证书
[英]How do I include issuing/intermediate CA certificates in mutual TLS/gRPC
问题描述
I am working in C++ adopting mTLS for communication in a peer network.
我在 C++ 工作,采用 mTLS 在对等网络中进行通信。 I have a private root CA and one issuing CA.我有一个私有根 CA 和一个颁发 CA。 The gRPC server struct for a secure TLS channel looks as follows:安全 TLS 通道的 gRPC 服务器结构如下所示:
struct SslServerCredentialsOptions {
explicit SslServerCredentialsOptions(
grpc_ssl_client_certificate_request_type request_type)
: force_client_auth(false), client_certificate_request(request_type) {}
struct PemKeyCertPair {
std::string private_key;
std::string cert_chain;
};
std::string pem_root_certs;
std::vector<PemKeyCertPair> pem_key_cert_pairs;
grpc_ssl_client_certificate_request_type client_certificate_request;
};
All peers have key pairs signed by the issuing CA.所有对等点都有由发行 CA 签名的密钥对。 The issuing CA cert is signed by the root CA.颁发 CA 证书由根 CA 签名。
My question: where does the issuing CA certificate go?我的问题:颁发CA证书go在哪里?
- Do I append it to
pem_root_certsor:我做 append 到pem_root_certs还是: - Append to
cert_chain?Append 到cert_chain?
Follow on: when the issuing CA cert/key is rotated and I need to handle a peer that may have 1 of 2 possible issuing CA certs active - where does that go?继续:当颁发的 CA 证书/密钥被轮换并且我需要处理可能有 2 个可能的颁发 CA 证书中的 1 个处于活动状态的对等方时 - go 在哪里?
Thanks!!谢谢!!
1 个解决方案
解决方案1
0 2022-01-25 22:09:15
I think it should be appended to cert_chain .我认为它应该附加到cert_chain 。
For the follow-up, from a client (or server)'s perspective, it does not matter which issuing CA cert is used for the peer's cert because in both cases, the peer's cert will be chained up to the root CA cert.对于后续,从客户端(或服务器)的角度来看,对等方的证书使用哪个颁发的 CA 证书并不重要,因为在这两种情况下,对等方的证书都将链接到根 CA 证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.