Migrating client-server architecture from SslCredentialOptions to TlsCredentialOptions
32 views
Skip to first unread message
Akshat Sinha
Jun 27, 2025, 12:20:47 PM6/27/25
to grpc.io
Hi all,
1. First I tried only making changes on the client side, since my use case only requires checking CRLs at the client. I used the following code to do so:
grpc::experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = certificate.pem_private_key;
key_cert_pair.certificate_chain = certificate.pem_cert_chain;
vector<grpc::experimental::IdentityKeyCertPair> key_cert_pairs = {
key_cert_pair};
auto cert_provider = std::make_shared<StaticDataCertificateProvider>(
certificate.pem_root_certs, key_cert_pairs);
This did not work, the connection was going through, but it keeping showing SSL_ERROR_SSL: certificate verify failed: self-signed certificate in certificate chain
even when the same root_cert is presented by both client and server.
2. Then I tried to make changes on the server side using the following code:
grpc::experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = key_pem;
key_cert_pair.certificate_chain = cert;
vector<grpc::experimental::IdentityKeyCertPair> key_cert_pairs = {
key_cert_pair};
auto cert_provider =
std::make_shared<grpc::experimental::StaticDataCertificateProvider>(root_cert, key_cert_pairs);
auto tls_opts = make_shared<grpc::experimental::TlsServerCredentialsOptions>(
cert_provider);
tls_opts->set_root_cert_name("default");
auto tls_creds = grpc::experimental::TlsServerCredentials(*tls_opts);
builder->AddListeningPort(
server_address, tls_creds, &selected_port);
This makes the server go into a crashloop with signature
F0627 06:01:34.788973 177282 grpc_tls_certificate_distributor.cc:179] [absl] Check failed: root_cert_name.has_value() || identity_cert_name.has_value()
even after giving the root_cert_name.
Please help me with this. Thanks in advance.
I have a pretty simple client-server architecture using grpc 1.66, where the client uses SslCredentialOptions to take in the root_ca, private_key, and cert_chain in string format. It uses the SslCredentialOptions to create the SslCredentials, and we use the credentials to create a CustomChannel to the server.
On the server side too, we do the same. We input the certificates as string in SslServerCredentialOptions, use it to create SslCredentials, and we use them to build the server and listen.
Now I want to migrate my SslCredentials to grpc::experimental::TlsCredentials, since it supports CRL that I want to implement on the client side. It keeps posing two main challenges:
1. First I tried only making changes on the client side, since my use case only requires checking CRLs at the client. I used the following code to do so:
grpc::experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = certificate.pem_private_key;
key_cert_pair.certificate_chain = certificate.pem_cert_chain;
vector<grpc::experimental::IdentityKeyCertPair> key_cert_pairs = {
key_cert_pair};
auto cert_provider = std::make_shared<StaticDataCertificateProvider>(
certificate.pem_root_certs, key_cert_pairs);
auto tls_opts = std::make_shared<TlsChannelCredentialsOptions>();
tls_opts->set_certificate_provider(cert_provider);
tls_opts->set_certificate_provider(cert_provider);
auto tls_cred = grpc::experimental::TlsCredentials(*tls_opts);
auto channel = grpc::CreateCustomChannel(
host_and_port, tls_cred, args);This did not work, the connection was going through, but it keeping showing SSL_ERROR_SSL: certificate verify failed: self-signed certificate in certificate chain
even when the same root_cert is presented by both client and server.
2. Then I tried to make changes on the server side using the following code:
grpc::experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = key_pem;
key_cert_pair.certificate_chain = cert;
vector<grpc::experimental::IdentityKeyCertPair> key_cert_pairs = {
key_cert_pair};
auto cert_provider =
std::make_shared<grpc::experimental::StaticDataCertificateProvider>(root_cert, key_cert_pairs);
auto tls_opts = make_shared<grpc::experimental::TlsServerCredentialsOptions>(
cert_provider);
tls_opts->set_root_cert_name("default");
auto tls_creds = grpc::experimental::TlsServerCredentials(*tls_opts);
builder->AddListeningPort(
server_address, tls_creds, &selected_port);
This makes the server go into a crashloop with signature
F0627 06:01:34.788973 177282 grpc_tls_certificate_distributor.cc:179] [absl] Check failed: root_cert_name.has_value() || identity_cert_name.has_value()
even after giving the root_cert_name.
Please help me with this. Thanks in advance.
Reply all
Reply to author
Forward
0 new messages