Articles

Secure gRPC Services with TLS and mTLS Authentication (2026)

April 18, 2026 5 min read

gRPC services don’t just use TLS; they actively enforce it, turning a network protocol into a secure communication channel by default.

Let’s see how this looks in practice. Imagine a simple gRPC client and server.

Server (server.go):

package main

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"log"
	"net"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
	pb "your_module_path/proto" // Replace with your module path
)

type server struct {
	pb.UnimplementedGreeterServer
}

func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
	return &pb.HelloReply{Message: "Hello " + in.Name}, nil
}

func main() {
	cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
	if err != nil {
		log.Fatalf("failed to load key pair: %v", err)
	}

	// Load CA certificate for client authentication (mTLS)
	caCert, err := ioutil.ReadFile("ca.crt")
	if err != nil {
		log.Fatalf("failed to read ca certificate: %v", err)
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	tlsConfig := &tls.Config{
		Certificates: []tls.Certificate{cert},
		ClientCAs:    caCertPool,
		ClientAuth:   tls.RequireAndVerifyClientCert, // Require and verify client certs
	}
	creds := credentials.NewTLS(tlsConfig)

	lis, err := net.Listen("tcp", ":50051")
	if err != nil {
		log.Fatalf("failed to listen: %v", err)
	}

	s := grpc.NewServer(grpc.Creds(creds))
	pb.RegisterGreeterServer(s, &server{})

	log.Printf("server listening at %v", lis.Addr())
	if err := s.Serve(lis); err != nil {
		log.Fatalf("failed to serve: %v", err)
	}
}

Client (client.go):

package main

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"log"
	"time"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
	pb "your_module_path/proto" // Replace with your module path
)

func main() {
	// Load the CA certificate to verify the server's certificate
	caCert, err := ioutil.ReadFile("ca.crt")
	if err != nil {
		log.Fatalf("failed to read ca certificate: %v", err)
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	// Load the client's certificate and key for mTLS
	cert, err := tls.LoadX509KeyPair("client.crt", "client.key")
	if err != nil {
		log.Fatalf("failed to load key pair: %v", err)
	}

	tlsConfig := &tls.Config{
		Certificates: []tls.Certificate{cert},
		RootCAs:      caCertPool,
	}
	creds := credentials.NewTLS(tlsConfig)

	conn, err := grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds), grpc.WithBlock())
	if err != nil {
		log.Fatalf("did not connect: %v", err)
	}
	defer conn.Close()

	c := pb.NewGreeterClient(conn)

	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
	defer cancel()

	r, err := c.SayHello(ctx, &pb.HelloRequest{Name: "World"})
	if err != nil {
		log.Fatalf("could not greet: %v", err)
	}
	log.Printf("Greeting: %s", r.Message)
}

The Problem This Solves:

In a distributed system, services often need to communicate. Without security, this communication is vulnerable to eavesdropping (confidentiality) and tampering (integrity). Anyone on the network could intercept messages, read sensitive data, or even inject malicious content. Furthermore, services might need to verify the identity of the service they’re talking to, and vice-versa, to prevent unauthorized access and ensure they’re talking to the right entity.

How it Works Internally:

gRPC leverages TLS (Transport Layer Security) for encryption and authentication. When you configure TLS on a gRPC server, it presents its certificate to the client during the handshake. The client, if configured to trust the server’s certificate authority (CA), verifies it. This ensures the client is talking to the intended server and that the communication channel is encrypted.

For mutual TLS (mTLS), the process is extended. The server also requires the client to present its own certificate. The server then verifies the client’s certificate against its trusted CA. This establishes a two-way authentication, ensuring both parties are who they claim to be.

The google.golang.org/grpc/credentials package is the key. It provides NewTLS which takes a *tls.Config object. This tls.Config is where you define:

  • Certificates: The server’s own certificate and private key.
  • ClientCAs: A pool of CA certificates that the server trusts for verifying client certificates (for mTLS).
  • ClientAuth: Specifies whether and how the server should request and verify client certificates (e.g., tls.RequireAndVerifyClientCert for mTLS).
  • RootCAs: A pool of CA certificates that the client trusts for verifying the server’s certificate.

The Levers You Control:

  1. Certificate Generation: You need to generate certificates. This typically involves creating a Certificate Authority (CA) certificate, and then using that CA to sign server and client certificates. Tools like openssl are commonly used for this.
  2. Server Configuration: Loading the server’s certificate (server.crt) and key (server.key), and crucially, configuring ClientCAs and ClientAuth if you want mTLS.
  3. Client Configuration: Loading the client’s certificate (client.crt) and key (client.key) for mTLS, and configuring RootCAs to trust the server’s CA.
  4. gRPC Dialing/Serving: Passing the configured credentials.TransportCredentials to grpc.Dial (client) and grpc.NewServer (server).

When the client initiates a connection to the server, the gRPC library, using the provided credentials, performs the TLS handshake. This handshake involves:

  1. The client sending a "ClientHello" message.
  2. The server responding with a "ServerHello" and its certificate.
  3. The client verifying the server’s certificate against its RootCAs.
  4. (For mTLS) The server requesting the client’s certificate.
  5. The client sending its certificate.
  6. The server verifying the client’s certificate against its ClientCAs.
  7. Both sides generating session keys for encrypted communication.

If any of these steps fail (e.g., certificate expired, not signed by a trusted CA, hostname mismatch), the handshake fails, and the grpc.Dial or server.Serve call will return an error, preventing communication.

The most subtle, yet powerful, aspect of gRPC’s TLS integration is its default behavior. Even if you don’t explicitly configure TLS, gRPC clients will attempt to connect to servers over plain HTTP/2. However, when you do configure TLS on the server, the client must use TLS as well. You cannot mix and match; if the server demands TLS, the client must provide it, and vice-versa. This strictness prevents accidental unencrypted communication when security is intended.

Once TLS is secured, the next step is often implementing robust authorization policies based on the verified client identity.

Want structured learning?

Take the full Grpc course →