Skip to content

tls-simple: fix client sample to trust the server CA and test the conn #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kevinawoo wants to merge 2 commits into
base: main
Choose a base branch
from
Open

tls-simple: fix client sample to trust the server CA and test the conn #116

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2b9dda8
tls-simple: fix client sample so it trusts the server CA and test the…
kevinawoo Oct 1, 2025
46e2cea
Merge branch 'main' into tls-simple-client-sample
chaptersix Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 28 additions & 12 deletions tls/tls-simple/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,33 +40,42 @@ The following example shows how to use the Go SDK to create a
Temporal that can connect to this Temporal Cluster using TLS:

```go
package main

import (
"go.temporal.io/sdk/client"
"context"
"crypto/tls"
"crypto/x509"
"log"
"os"
)

workflowservice "go.temporal.io/api/workflowservice/v1"
"go.temporal.io/sdk/client"
)

func createClient() {
// load the server's certificate
serverPEM, err := os.ReadFile("certs/cluster.pem")
func main() {
// Load CA certificate to trust this cert chain
caPEM, err := os.ReadFile("certs/ca.cert")
if err != nil {
log.Fatalln("failed to load server certificate")
log.Fatalln("failed to load CA certificate")
}
rootPool := x509.NewCertPool()
if !rootPool.AppendCertsFromPEM(caPEM) {
log.Fatalln("invalid CA cert PEM")
}

// add it to a set of certificate authorities
serverCAPool := x509.NewCertPool()
if !serverCAPool.AppendCertsFromPEM(serverPEM) {
log.Fatalln("invalid server cert PEM")
// Load client certificate and key for mTLS
clientCert, err := tls.LoadX509KeyPair("certs/client.pem", "certs/client.key")
if err != nil {
log.Fatalln("failed to load client certificate/key:", err)
}

// configure the TLS connection
c, err := client.Dial(client.Options{
ConnectionOptions: client.ConnectionOptions{
TLS: &tls.Config{
RootCAs: serverCAPool,
RootCAs: rootPool,
Certificates: []tls.Certificate{clientCert},
ServerName: "tls-sample",
},
},
Expand All @@ -77,5 +86,12 @@ func createClient() {
}
defer c.Close()

// Code that uses the Client would follow
// Lightweight connectivity test using GetSystemInfo on WorkflowService
ctx := context.Background()
info, err := c.WorkflowService().GetSystemInfo(ctx, &workflowservice.GetSystemInfoRequest{})
if err != nil {
log.Fatalln("failed to reach Temporal server:", err)
}
log.Printf("Connected to Temporal. Server version: %s", info.GetServerVersion())
}
```