From 2b9dda8cba7fddfd7bf883dbdc462c4dc67e8c2e Mon Sep 17 00:00:00 2001
From: Kevin Woo <3469532+kevinawoo@users.noreply.github.com>
Date: Wed, 1 Oct 2025 12:29:21 -0700
Subject: [PATCH] tls-simple: fix client sample so it trusts the server CA and
 test the conn

---
 tls/tls-simple/README.md | 40 ++++++++++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/tls/tls-simple/README.md b/tls/tls-simple/README.md
index d15fd11..e4aa844 100644
--- a/tls/tls-simple/README.md
+++ b/tls/tls-simple/README.md
@@ -40,33 +40,42 @@ The following example shows how to use the Go SDK to create a
 Temporal that can connect to this Temporal Cluster using TLS:
 
 ```go
+package main
+
 import (
-	"go.temporal.io/sdk/client"
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"log"
 	"os"
-)
 
+	workflowservice "go.temporal.io/api/workflowservice/v1"
+	"go.temporal.io/sdk/client"
+)
 
-func createClient() {
-	// load the server's certificate 
-	serverPEM, err := os.ReadFile("certs/cluster.pem")
+func main() {
+	// Load CA certificate to trust this cert chain
+	caPEM, err := os.ReadFile("certs/ca.cert")
 	if err != nil {
-		log.Fatalln("failed to load server certificate")
+		log.Fatalln("failed to load CA certificate")
+	}
+	rootPool := x509.NewCertPool()
+	if !rootPool.AppendCertsFromPEM(caPEM) {
+		log.Fatalln("invalid CA cert PEM")
 	}
 
-	// add it to a set of certificate authorities
-	serverCAPool := x509.NewCertPool()
-	if !serverCAPool.AppendCertsFromPEM(serverPEM) {
-		log.Fatalln("invalid server cert PEM")
+	// Load client certificate and key for mTLS
+	clientCert, err := tls.LoadX509KeyPair("certs/client.pem", "certs/client.key")
+	if err != nil {
+		log.Fatalln("failed to load client certificate/key:", err)
 	}
 
 	// configure the TLS connection
 	c, err := client.Dial(client.Options{
 		ConnectionOptions: client.ConnectionOptions{
 			TLS: &tls.Config{
-				RootCAs:      serverCAPool,
+				RootCAs:      rootPool,
+				Certificates: []tls.Certificate{clientCert},
 				ServerName:   "tls-sample",
 			},
 		},
@@ -77,5 +86,12 @@ func createClient() {
 	}
 	defer c.Close()
 
-	// Code that uses the Client would follow
+	// Lightweight connectivity test using GetSystemInfo on WorkflowService
+	ctx := context.Background()
+	info, err := c.WorkflowService().GetSystemInfo(ctx, &workflowservice.GetSystemInfoRequest{})
+	if err != nil {
+		log.Fatalln("failed to reach Temporal server:", err)
+	}
+	log.Printf("Connected to Temporal. Server version: %s", info.GetServerVersion())
+}
 ```