How can I connect a gRPC client in .NET framework with a secure .NET Core server?

Question

I'm using protobuf-net.Grpc on a .NET Core server and trying to make calls from a .NET Framework (4.7.2.) gRPC Client. A full example is here: https://github.com/angelagyang/GRPCProtobufExample

Here is a snippet of my client:

var channelCreds = new SslCredentials(GetRootCertificates());
var channel = new Channel("localhost", 5001, channelCreds);
var greeter = channel.CreateGrpcService<IGreeterService>();

With this configuration, I get the error StatusCode="Unknown", Detail="Stream removed"... when calling the server. I am able to connect to the server if I set ClientCertificateMode = ClientCertificateMode.NoCertificate on the server. However, I want the server to require a client certificate and validate the certificate via thumbprint.

For example, in .NET Core, I can use Grpc.Net.Client to configure my channel like so:

var handler = new HttpClientHandler();
handler.ClientCertificates.Add(certificate);
var channel2 = GrpcChannel.ForAddress("https://localhost:5001", new GrpcChannelOptions
{
      HttpHandler = handler
});

Is there any way to configure a client with certificate in .NET Framework like this? I'm pretty new to gRPC/.NET and would appreciate any suggestions!

Answer 1

Solved and updated the original example: https://github.com/angelagyang/GRPCProtobufExample

You can configure a client certificate by creating a KeyCertificatePair to pass into SslCredentials. You will need the PEM encoded certificate chain and PEM encoded private key.

var keyCertPair = new KeyCertificatePair(File.ReadAllText($"{rootDir}/cert.pem"), File.ReadAllText($"{rootDir}/cert.key")); 
var channelCreds = new SslCredentials(GetRootCertificates(), keyCertPair);

For testing purposes, I used the self-signed certificates here: https://github.com/grpc/grpc/tree/master/src/core/tsi/test_creds

When debugging, set GRPC_VERBOSITY = DEBUG and GRPC_DEBUG = ALL. This can help clear up vague error messages. For example, I realized that the server certificate I was using to configure HTTPS did not include localhost.