Skip to content

11 Authentication

DodaTech 3 min read

title: "gRPC Authentication with SSL/TLS" description: "Secure gRPC communication with SSL/TLS certificates. Learn server-side TLS, mutual TLS (mTLS), certificate generation, credential management, and encrypted channel configuration." weight: 11 date: 2026-06-28 lastmod: 2026-06-28 tags: [api-development, grpc] }

gRPC requires transport-level security for production deployments. SSL/TLS encrypts all data in transit and optionally verifies client identity through mutual TLS. gRPC also supports token-based authentication at the application layer.

What You'll Learn

  • Server-side TLS certificate configuration
  • Mutual TLS (mTLS) for client certificate verification
  • Generating self-signed certificates for development
  • Loading credentials on server and client
  • Channel credential vs call credential patterns

Why It Matters

gRPC traffic over plaintext is vulnerable to interception and tampering. TLS encryption is mandatory for any internet-facing gRPC service. mTLS ensures both parties are authenticated.

Real-World Use

Google Cloud services use mutual TLS for internal service communication. Kubernetes uses TLS for etcd gRPC connections. Envoy proxy uses TLS certificates for mesh service identity.

flowchart LR
    Client[Client] -->|TLS Handshake| Server[gRPC Server]
    Client --> ServerCert[Server Certificate]
    Client -->|Optional| ClientCert[Client Certificate]
    Server --> ClientCert
    ServerCert --> CA[Certificate Authority]
    ClientCert --> CA
    Server -->|Encrypted Channel| Client

Teacher Mindset

TLS is the foundation of gRPC security. Configure it at server creation time. Use mTLS for internal services where both sides need verification. Use token-based auth for user-facing applications.

Code Examples

// Example 1: Server with TLS
const fs = require('fs');
const grpc = require('@grpc/grpc-js');

const server = new grpc.Server();
server.addService(OrderService, implementation);

const credentials = grpc.ServerCredentials.createSsl(
  fs.readFileSync('certs/ca.crt'),    // CA certificate
  [{
    cert_chain: fs.readFileSync('certs/server.crt'),
    private_key: fs.readFileSync('certs/server.key')
  }],
  true // require client certificate for mTLS
);

server.bindAsync('0.0.0.0:50051', credentials, () => server.start());
// Example 2: Client with TLS
const credentials = grpc.credentials.createSsl(
  fs.readFileSync('certs/ca.crt'),     // CA certificate
  fs.readFileSync('certs/client.key'), // Client private key (mTLS)
  fs.readFileSync('certs/client.crt')  // Client certificate (mTLS)
);

const client = new OrderService('localhost:50051', credentials);
# Example 3: Generate self-signed certificates with OpenSSL
# Generate CA
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt

# Generate server cert
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# Generate client cert
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

Common Mistakes

  • Using insecure credentials (createInsecure) in production
  • Forgetting to include the CA certificate on the client side
  • Using self-signed certificates without proper CA chain validation
  • Not rotating expired certificates
  • Mixing up server and client certificate roles in mTLS

Practice

  1. Generate a CA certificate and a server certificate.
  2. Configure a gRPC server with server-side TLS.
  3. Create a client that connects with TLS.
  4. Set up mutual TLS with client certificate verification.
  5. Challenge: Create a certificate rotation script that reloads certificates without server restart.

FAQ

Is TLS mandatory for gRPC?

TLS is not mandatory but strongly recommended. Insecure connections are acceptable only for local development and testing.

What is the difference between channel credentials and call credentials?

Channel credentials secure the transport layer (TLS). Call credentials add per-RPC authentication (tokens, JWTs).

Can I use Let's Encrypt certificates with gRPC?

Yes. Let's Encrypt certificates work with gRPC as long as the server domain matches the certificate CN or SAN.

How does gRPC handle certificate revocation?

gRPC uses standard TLS certificate validation. Configure OCSP stapling or CRL distribution points on your server.

Should I use mTLS for all services?

mTLS is best for internal service-to-service communication. For public APIs, use TLS plus token-based authentication.

Mini Project

Set up a secure gRPC server with mTLS for your order management service. Generate CA, server, and client certificates. Configure the server to require client certificates. Test the connection with and without valid certificates.

What's Next

Next, you will learn about gRPC error handling patterns and standard error codes.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro