cdk/crates/cdk-mint-rpc/CERTIFICATES.md

# gRPC TLS Certificate Generation Guide

This guide explains how to generate the necessary TLS certificates for securing gRPC communication between client and server.

## Overview

The script generates the following certificates and keys:
- Certificate Authority (CA) certificate and key
- Server certificate and key
- Client certificate and key

All certificates are generated in PEM format, which is commonly used in Unix/Linux systems.

## Prerequisites

- OpenSSL installed on your system
- Bash shell environment

## Generated Files

The script will create the following files:
- `ca.key` - Certificate Authority private key
- `ca.pem` - Certificate Authority certificate
- `server.key` - Server private key
- `server.pem` - Server certificate
- `client.key` - Client private key
- `client.pem` - Client certificate

## Usage

1. Make the script executable:
   ```bash
   chmod +x generate_certs.sh
   ```
2. Run the script:
   ```bash
   ./generate_certs.sh
   ```

## Certificate Details

### Certificate Authority (CA)
- 4096-bit RSA key
- Valid for 365 days
- Used to sign both server and client certificates

### Server Certificate
- 4096-bit RSA key
- Valid for 365 days
- Includes Subject Alternative Names (SAN):
  - DNS: localhost
  - DNS: my-server
  - IP: 127.0.0.1

### Client Certificate
- 4096-bit RSA key
- Valid for 365 days
- Used for client authentication

## Verification

The script includes verification steps to ensure the certificates are properly generated:
```bash
# Verify server certificate
openssl verify -CAfile ca.pem server.pem

# Verify client certificate
openssl verify -CAfile ca.pem client.pem
```

## Security Notes

1. Keep private keys (*.key files) secure and never share them
2. The CA certificate (ca.pem) needs to be distributed to both client and server
3. Server needs:
   - server.key
   - server.pem
   - ca.pem
4. Client needs:
   - client.key
   - client.pem
   - ca.pem