Post running the bchd on your local machine, you should be able to find the certificate and key that are generated by bchd. You can use that for local development purposes.
ca.key: Certificate Authority private key file (this shouldn't be shared in real-life)
ca.crt: Certificate Authority trust certificate (this should be shared with users in real-life)
server.key: Server private key, password protected (this shouldn't be shared)
server.csr: Server certificate signing request (this should be shared with the CA owner)
server.crt: Server certificate signed by the CA (this would be sent back by the CA owner) - keep on server
server.pem: Conversion of server.key into a format gRPC likes (this shouldn't be shared)
#!/bin/bash# Changes these CN's to match your hosts in your environment if needed.SERVER_CN=localhost# Step 1: Generate Certificate Authority + Trust Certificate (ca.crt)opensslgenrsa-passoutpass:1111-des3-outca.key4096opensslreq-passinpass:1111-new-x509-days3650-keyca.key-outca.crt-subj"/CN=${SERVER_CN}"# Step 2: Generate the Server Private Key (server.key)opensslgenrsa-passoutpass:1111-des3-outserver.key4096# Step 3: Get a certificate signing request from the CA (server.csr)opensslreq-passinpass:1111-new-keyserver.key-outserver.csr-subj"/CN=${SERVER_CN}"-configcerts.cnf# Step 4: Sign the certificate with the CA we created (it's called self signing) - server.crtopenssl x509 -req -passin pass:1111 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -extensions req_ext -extfile certs.cnf
# Step 5: Convert the server certificate to .pem format (server.pem) - usable by gRPCopensslpkcs8-topk8-nocrypt-passinpass:1111-inserver.key-outserver.pem# Addon: Generating unencrypted key for bchd server# openssl rsa -in server.pem -out key.unencrypted.pem -passin pass:1111