0

I am working in C++ adopting mTLS for communication in a peer network. I have a private root CA and one issuing CA. The gRPC server struct for a secure TLS channel looks as follows:

 struct SslServerCredentialsOptions {
   explicit SslServerCredentialsOptions(
       grpc_ssl_client_certificate_request_type request_type)
       : force_client_auth(false), client_certificate_request(request_type) {}
  
   struct PemKeyCertPair {
     std::string private_key;
     std::string cert_chain;
   };
   std::string pem_root_certs;
   std::vector<PemKeyCertPair> pem_key_cert_pairs;
  
   grpc_ssl_client_certificate_request_type client_certificate_request;
 };

All peers have key pairs signed by the issuing CA. The issuing CA cert is signed by the root CA.

My question: where does the issuing CA certificate go?

  1. Do I append it to pem_root_certs or:
  2. Append to cert_chain?

Follow on: when the issuing CA cert/key is rotated and I need to handle a peer that may have 1 of 2 possible issuing CA certs active - where does that go?

Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
sn0wbl1nd
  • 36
  • 1
  • 4
  • 1
    Here is a Python answer: https://hikingandcoding.wordpress.com/2022/01/19/securing-google-remote-procedure-calls-grpc-using-asynchronous-python/ The approach for C++ is probably similar. – Bruno Rijsman Jan 24 '22 at 03:31
  • @BrunoRijsman Thank you that is fantastic, really useful! I will study your code in some detail and probably borrow for setting up better testing. If I may, in mTLS, client credentials (`make_credentials()`) - you use `client.pem` which is a concatenation unlike crt, so it contains the complete certification chain for the client. – sn0wbl1nd Jan 26 '22 at 18:54
  • 1
    @BrunoRijsman One short follow-up. In your `client.pem` you add the root certificate at the end. If the server is to validate the client certificate ultimately with its own local root certificate, why? – sn0wbl1nd Jan 26 '22 at 20:24
  • Thanks for the feedback. I will look into this when I have some time and get back to you. – Bruno Rijsman Jan 27 '22 at 22:14
  • 1
    I finally got around to following up on your comment. You were correct: the client.pem file should *not* have included the root certificate. I have updated the github code to exclude the root cert from client.pem (all the tests still pass with this change). Note that intermediate certs (if any) still need to be included. Thank you for pointing this out! – Bruno Rijsman Jan 31 '22 at 19:09
  • PS: StackOverflow question https://stackoverflow.com/questions/34945244 has some interesting observations in the comments section of the 2nd (non-accepted) answer about what happens differently when you *do* include the root cert. – Bruno Rijsman Jan 31 '22 at 19:15

1 Answers1

1

I think it should be appended to cert_chain.

For the follow-up, from a client (or server)'s perspective, it does not matter which issuing CA cert is used for the peer's cert because in both cases, the peer's cert will be chained up to the root CA cert.

Yihua Zhang
  • 11
  • 1