grpc-java programs using an Elliptic Curve certificate for SSL communication


RSA cryptography based on the mathematical problem of factoring the product of two large prime numbers. Elliptic Curve Cryptography (ECC) is based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to RSA to provide equivalent security. So an ECC 256bit key is stronger than a 256bit RSA key.

In my last post, “Java gRPC client and server using secure HTTP/2 channels on the Hyperledger Fabric virtual machine“, I could have just as well used an Elliptic Curve certificate and private key instead of RSA to allow my two gRPC Java programs to communicate with each other securely over SSL/TLS.

In this post, I will demonstrate how to generate the ECC certificate and key, modify the Java examples and run them again.



First, start our Hyperledger Fabric virtual image and log into it by SSH. Open a Cygwin prompt in Windows, do :

 cd /cygdrive/c/gocode/fabric_java_latest/fabric/devenv

vagrant up

vagrant ssh

Once in Linux, do:

cd /devenv/nodecode/certs

It’s important that the computer the program will try to connect to, i.e. “hyperledger-devenv“, be found in the Elliptic Curve certificate we will generate.


It is also important that this computer name be resolved. A good way of ensuring the latter is to add a line in the file /etc/hosts:  hyperledger-devenv

Next, do the following single OpenSSL command to generate the Elliptical Curve certificate and private key:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp256r1) -keyout ec.key -out ec.crt -days 3650

You will be prompted to enter information. It is critical that you enter the correct value for “Common Name” (indicated in red below):

using curve name prime256v1 instead of secp256r1
Generating a 256 bit EC private key
writing new private key to ‘ec.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) []:Quebec City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bertrand Szoghy
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:hyperledger-devenv
Email Address []


Now, log in to the virtual machine through the Virtualbox window as user ubuntu:


Next, do the command to launch the graphical user interface:

sudo startxfce4&

Double-click to start Eclipse Neon, accept the workspace.


Expand our “JavaGrpc” Maven project.

Open file and change lines 11 and 12 from:

File cert = new File(“/opt/gopath/src/”);
File key = new File(“/opt/gopath/src/”);



File cert = new File(“/opt/gopath/src/”);
File key = new File(“/opt/gopath/src/”);


Next, open file and change line 20 from:

.trustManager(new File(“/opt/gopath/src/”)).build())



.trustManager(new File(“/opt/gopath/src/”)).build())


Next, we clean the project by clicking on the project name “JavaGrpc” > menu Project > Clean…


Next, right-click on the “JavaGrpc” project name > Build Project



Start the Java gRPC server

In Eclipse, right-click on file > Run As > Java Application


Server start on port 7777 is displayed in the console, you can ignore the warning:


Leave the server running.


Run the Java gRPC client

Next, in Eclipse, right-click on file > Run As > Java Application


As before, the communication over SSL/TLS is successful:


(end of post)

Bertrand Szoghy, 2017-06, Quebec City.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s