diff --git a/examples/features/encryption/README.md b/examples/features/encryption/README.md index e4ce22933230..70dbd8e40514 100644 --- a/examples/features/encryption/README.md +++ b/examples/features/encryption/README.md @@ -1,7 +1,7 @@ # Encryption -The example for encryption includes two individual examples for TLS and ALTS -encryption mechanism respectively. +The example for encryption includes three individual examples for TLS, ALTS +and mTLS encryption mechanism respectively. ## Try it @@ -35,7 +35,7 @@ In our example, we use the public/private keys created ahead: * "ca_cert.pem" contains the certificate (certificate authority) that can verify the server's certificate. -On server side, we provide the paths to "server.pem" and "server.key" to +On server side, we provide the paths to "server_cert.pem" and "server_key.pem" to configure TLS and create the server credential using [`credentials.NewServerTLSFromFile`](https://godoc.org/google.golang.org/grpc/credentials#NewServerTLSFromFile). @@ -91,16 +91,29 @@ successfully up. In mutual TLS (mTLS), the client and the server authenticate each other. gRPC allows users to configure mutual TLS at the connection level. +In this example, we use the following public/private keys created ahead of time: + +* "server_cert.pem" contains the server's certificate (public key). +* "server_key.pem" contains the server's private key. +* "ca_cert.pem" contains the certificate of the certificate authority that can + verify the server's certificate. +* "client_cert.pem" contains the client's certificate (public key). +* "client_key.pem" contains the client's private key. +* "client_ca_cert.pem" contains the certificate of the certificate authority + that can verify the client's certificate. + In normal TLS, the server is only concerned with presenting the server certificate for clients to verify. In mutual TLS, the server also loads in a -list of trusted CA files for verifying client presented certificates with. -This is done via setting +list of trusted CA files for verifying the client's presented certificates. +This is done by setting [`tls.Config.ClientCAs`](https://pkg.go.dev/crypto/tls#Config.ClientCAs) to the list of trusted CA files, -and setting [`tls.config.ClientAuth`](https://pkg.go.dev/crypto/tls#Config.ClientAuth) -to [`tls.RequireAndVerifyClientCert`](https://pkg.go.dev/crypto/tls#RequireAndVerifyClientCert). +and setting +[`tls.config.ClientAuth`](https://pkg.go.dev/crypto/tls#Config.ClientAuth) +to +[`tls.RequireAndVerifyClientCert`](https://pkg.go.dev/crypto/tls#RequireAndVerifyClientCert). In normal TLS, the client is only concerned with authenticating the server by using one or more trusted CA file. In mutual TLS, the client also presents its -client certificate to the server for authentication. This is done via setting +client certificate to the server for authentication. This is done by setting [`tls.Config.Certificates`](https://pkg.go.dev/crypto/tls#Config.Certificates).