Implemented Vault integration in k-s-a

Gopkg.toml

 [[constraint]]
-  branch = "master"
+  branch = "107-Vault_integration"
   name = "code.vereign.com/code/viam-apis"
 
 [[constraint]]

config.yaml.sample

@@ -11,26 +11,43 @@ restListenAddress: localhost:7878
 viamUUID: viam-system
 viamSession: viam-session
 
-# Choose a certificate method for providing PEM strings
-# 1 = Read from file (*.crt and *.key files)
-# 2 = Read from Vault server (this will require additional config information for Vault)
-certificateMethod: 1
-
-# Read Certificates From Folder and Files
-certDir: cert
-certFile: server.crt
-certKey: server.key
-vereignCertFile: vereign_ca.cer
-vereignCertKey: vereign_ca.key
-caCertFile: ca.crt
-
 # Maximum Message Size (in megabytes)
 maxMessageSize: 64
 
-# Read Certificates From Vault Server
-vaultAddress: http://10.6.10.119:8200
-vaultToken: 00000000-0000-0000-0000-000000000000
-vaultPath: /developers/data/devteam/cert
-certificateKey: certificateKey
-privateKey: privateKey
-caCertificateKey: caCertificateKey
+# Certification Access Method
+# 1 = Certificate Folder and Files
+# 2 = Vault Integration
+#certificationMethod: 1
+certificationMethod: 2
+
+# Certification URL
+# For Method 1: Can be anything (will be ignored)
+# For Method 2: IP address and port number of Vault server
+#certificationURL: localhost
+certificationURL: http://10.6.10.119:8200
+
+# Certification Token
+# For Method 1: Can be anything (will be ignored)
+# For Method 2: Vault authentication token
+#certificationToken: .
+certificationToken: YOUR_VAULT_TOKEN
+
+# Certification Path
+# For Method 1: The full path of the folder where the certificate and private key files are stored
+# For Method 2: Base mount path for certificate secrets
+#certificationPath: /home/ocengiz/Documents/Vereign/03-Codebase/cert
+certificationPath: /developers/data/devteam/cert
+
+# Certification Files
+# For Method 1: The name of the files for certification
+# For Method 2: The name of the secret keys on Vault
+#certificationCertFile: localhost.crt
+certificationCertFile: certificateKey
+#certificationKeyFile: localhost.key
+certificationKeyFile: privateKey
+#certificationCaCertFile: ca.crt
+certificationCaCertFile: caCertificateKey
+#certificationVereignCertFile: vereign_ca.cer
+certificationVereignCertFile: vereignCaCertificateKey
+#certificationVereignKeyFile: vereign_ca.key
+certificationVereignKeyFile: vereignCaPrivateKey
\ No newline at end of file

handler/generate_keypair.go

@@ -40,7 +40,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
 	auth := s.CreateAuthentication(ctx)
 
 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
 	defer client.CloseClient()
 
 	generateKeyPairResponse := &api.GenerateKeyPairResponse{}
@@ -94,7 +94,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
 	}
 
 	if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
-		encryptedAesKeyBytes, err := rsaEncryptWithServerKey(s.VereignCertFilePath, aesKeyBytes, []byte("aeskeys"))
+		encryptedAesKeyBytes, err := rsaEncryptWithServerKey(s.VereignCertPEM, aesKeyBytes, []byte("aeskeys"))
 		if err != nil {
 			log.Printf("Error: %v", err)
 			generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
@@ -109,7 +109,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
 	}
 
 	if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
-		encryptedPrivateKeyNonceBytes, err := rsaEncryptWithServerKey(s.VereignCertFilePath, privateKeyNonce, []byte("nonce"))
+		encryptedPrivateKeyNonceBytes, err := rsaEncryptWithServerKey(s.VereignCertPEM, privateKeyNonce, []byte("nonce"))
 		if err != nil {
 			log.Printf("Error: %v", err)
 			generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
@@ -176,8 +176,8 @@ func generateKeyPair(keySize int) ([]byte, []byte, error) {
 	return privateKeyBytes, publicKeyBytes, nil
 }
 
-func rsaEncryptWithServerKey(certFilePath string, message []byte, label []byte) ([]byte, error) {
-	serverCertificate, err := readCertificateFromFile(certFilePath)
+func rsaEncryptWithServerKey(certPEM []byte, message []byte, label []byte) ([]byte, error) {
+	serverCertificate, err := readCertificateFromPEM(certPEM)
 	if err != nil {
 		log.Printf("Error: %v", err)
 		return nil, err

handler/handler.go

@@ -19,7 +19,6 @@ package handler
 
 import (
 	"log"
-	"io/ioutil"
 	"strings"
 
 	"code.vereign.com/code/viam-apis/versions"
@@ -36,11 +35,11 @@ import (
 // Server represents the gRPC server
 type KeyStorageServerImpl struct {
 	DataStorageUrl            string
-	CertFilePath              string
-	KeyFilePath 			  string
-	CaCertFilePath			  string
-	VereignCertFilePath       string
-	VereignPrivateKeyFilePath string
+	CertPEM					  []byte
+	KeyPEM					  []byte
+	CaCertPEM				  []byte
+	VereignCertPEM       	  []byte
+	VereignPrivateKeyPEM	  []byte
 	MaxMessageSize			  int
 }
 
@@ -66,23 +65,23 @@ func (s *KeyStorageServerImpl) GetKey(ctx context.Context, in *api.GetKeyRequest
 	auth := s.CreateAuthentication(ctx)
 
 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
 	defer client.CloseClient()
 
 	getKeyResponse := &api.GetKeyResponse{}
 
 	if in.KeyType == api.KeyType_CERTIFICATE && in.Uuid == "root" {
 		key := &api.Key{}
-		data, err := ioutil.ReadFile(s.VereignCertFilePath)
+		/*data, err := ioutil.ReadFile(s.VereignCertFilePath)
 
 		if err != nil {
 			log.Printf("Error: %v", err)
 			getKeyResponse.StatusList = utils.AddStatus(getKeyResponse.StatusList,
 				"400", api.StatusType_ERROR, "Can not get root certificate")
 			return getKeyResponse, nil
-		}
+		}*/
 
-		key.Content = data
+		key.Content = s.VereignCertPEM
 		key.Revoked = false
 
 		getKeyResponse.Key = key
@@ -114,7 +113,7 @@ func (s *KeyStorageServerImpl) SetKey(ctx context.Context, in *api.SetKeyRequest
 	auth := s.CreateAuthentication(ctx)
 
 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
 	defer client.CloseClient()
 
 	setKeyResponse := &api.SetKeyResponse{}
@@ -162,7 +161,7 @@ func (s *KeyStorageServerImpl) ReserveKeyUUID(ctx context.Context, in *api.Reser
 	auth := s.CreateAuthentication(ctx)
 
 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
 	defer client.CloseClient()
 
 	reserveKeyUUIDResponse := &api.ReserveKeyUUIDResponse{}

handler/revoke.go

@@ -29,7 +29,7 @@ func (s *KeyStorageServerImpl) Revoke(ctx context.Context, in *api.RevokeRequest
 	auth := s.CreateAuthentication(ctx)
 
 	client := &client.DataStorageClientImpl{}
-	client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize)
+	client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
 	defer client.CloseClient()
 
 	revokeResponse := &api.RevokeResponse{}

handler/utils.go

@@ -75,6 +75,30 @@ func handlePutDataErrors(statusList []*api.Status, errors string, err error) []*
 	return statusList
 }
 
+func readCertificateFromPEM(pemString []byte) (*x509.Certificate, error) {
+	certificatePemBlock, err := readPemBlockFromBytes(pemString)
+	if err != nil {
+		log.Printf("Error: %v", err)
+		return nil, err
+	}
+
+	certificate, err := x509.ParseCertificate(certificatePemBlock.Bytes)
+	if err != nil {
+		log.Printf("Error: %v", err)
+		return nil, err
+	}
+
+	return certificate, nil
+}
+
+func readPemBlockFromBytes(pemString []byte) (*pem.Block, error) {
+	fileBytes := pemString
+
+	certificatePemBlock, _ := pem.Decode(fileBytes)
+
+	return certificatePemBlock, nil
+}
+
 func readCertificateFromFile(fileName string) (*x509.Certificate, error) {
 	certificatePemBlock, err := readPemBlockFromFile(fileName)
 	if err != nil {

main.go

@@ -28,29 +28,21 @@ import (
 func main() {
 	server.SetConfigValues()
 
-	// TODO this should be done via configuration or even a certificate repository
-	certDir := viper.GetString("certDir")
-	if certDir == "" {
-		log.Printf("cert-dir cannot be empty")
-		return
-	}
-
 	grpcAddress := viper.GetString("grpcListenAddress")
 	restAddress := viper.GetString("restListenAddress")
 	dataStorageAddress := viper.GetString("dataStorageUrl")
-
-	certFilePath := certDir + "/" + viper.GetString("certFile")
-	privateKeyFilePath := certDir + "/" + viper.GetString("certKey")
-	caCertFilePath := certDir + "/" + viper.GetString("caCertFile")
-	vereignCertFilePath := certDir + "/" + viper.GetString("vereignCertFile")
-	vereignPrivateKeyFilePath := certDir + "/" + viper.GetString("vereignCertKey")
+	certPem := server.GetCertificatePEM()
+	keyPem := server.GetPrivateKeyPEM()
+	caCertPem := server.GetCaCertificatePEM()
+	vereignCaCertificatePem := server.GetVereignCaCertificatePEM()
+	vereignCaKeyPem := server.GetVereignCaKeyPEM()
 
 	maxMessageSize := viper.GetInt("maxMessageSize")
 
 	// fire the gRPC server in a goroutine
 	go func() {
-		err := server.StartGRPCServer(grpcAddress, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath,
-			vereignPrivateKeyFilePath, dataStorageAddress, maxMessageSize)
+		err := server.StartGRPCServer(grpcAddress, certPem, keyPem, caCertPem, vereignCaCertificatePem,
+			vereignCaKeyPem, dataStorageAddress, maxMessageSize)
 		if err != nil {
 			log.Fatalf("failed to start gRPC server: %s", err)
 		}
@@ -58,7 +50,7 @@ func main() {
 
 	// fire the REST server in a goroutine
 	go func() {
-		err := server.StartRESTServer(restAddress, grpcAddress, certFilePath)
+		err := server.StartRESTServer(restAddress, grpcAddress, certPem)
 		if err != nil {
 			log.Fatalf("failed to start gRPC server: %s", err)
 		}

server/configs.go

@@ -5,6 +5,14 @@ import (
 	"github.com/spf13/viper"
 )
 
+var certificationMethod string
+var p PEMReader
+var certificatePEM []byte
+var privateKeyPEM []byte
+var caCertificatePEM []byte
+var vereignCaCertificatePEM []byte
+var vereignCaKeyPEM []byte
+
 func SetConfigValues() {
 	// Set Default Values For Config Variables
 
@@ -12,20 +20,37 @@ func SetConfigValues() {
 	viper.SetDefault("grpcListenAddress", "localhost:7877")
 	viper.SetDefault("restListenAddress", "localhost:7878")
 	viper.SetDefault("dataStorageUrl", "localhost:7777")
-	
-	// Certificates Related
-	viper.SetDefault("certDir", "cert")
-	viper.SetDefault("certFile", "server.crt")
-	viper.SetDefault("certKey", "server.key")
-	viper.SetDefault("caCertFile", "ca.crt")
-	viper.SetDefault("vereignCertFile", "vereign_ca.cer")
-	viper.SetDefault("vereignCertKey", "vereign_ca.key")
 
 	viper.SetDefault("viamUUID", "viam-system")
 	viper.SetDefault("viamSession", "viam-session")
 
 	viper.SetDefault("maxMessageSize", 64)
 
+	// Certification Related
+	// File System Defaults
+	viper.SetDefault("certificationMethod", "1")
+	viper.SetDefault("certificationURL", ".")
+	viper.SetDefault("certificationToken", ".")
+	viper.SetDefault("certificationPath", "cert")
+	viper.SetDefault("certificationCertFile", "server.crt")
+	viper.SetDefault("certificationKeyFile", "server.key")
+	viper.SetDefault("certificationCaCertFile", "ca.crt")
+	viper.SetDefault("certificationVereignCertFile", "vereign_ca.cer")
+	viper.SetDefault("certificationVereignKeyFile", "vereign_ca.key")
+
+	/*
+	// Vault Defaults
+	viper.SetDefault("certificationMethod", "2")
+	viper.SetDefault("certificationURL", "http://10.6.10.119:8200")
+	viper.SetDefault("certificationToken", "")
+	viper.SetDefault("certificationPath", "/developers/data/devteam/cert")
+    viper.SetDefault("certificationCertFile", "certificateKey")
+	viper.SetDefault("certificationKeyFile", "privateKey")
+	viper.SetDefault("certificationCaCertFile", "caCertificateKey")
+	viper.SetDefault("certificationVereignCertFile", "vereignCaCertificateKey")
+	viper.SetDefault("certificationVereignKeyFile", "vereignCaPrivateKey")
+	*/
+
 	// Read Config File
 	viper.SetConfigName("config")
 	viper.AddConfigPath(".")
@@ -33,10 +58,53 @@ func SetConfigValues() {
 		log.Printf("can't read config: %s, will use default values", err)
 	}
 
+	certificationMethod = viper.GetString("certificationMethod")
+	if certificationMethod == "1" {
+		// Read From File System
+		p = FilePEMReader{certificationURL: viper.GetString("certificationURL"),
+			certificationToken: viper.GetString("certificationToken"),
+			certificationPath: viper.GetString("certificationPath"),
+			certificationCertFile: viper.GetString("certificationCertFile"),
+			certificationKeyFile: viper.GetString("certificationKeyFile"),
+			certificationCaCertFile: viper.GetString("certificationCaCertFile"),
+			certificationVereignCertFile: viper.GetString("certificationVereignCertFile"),
+			certificationVereignKeyFile: viper.GetString("certificationVereignKeyFile")}
+	} else if certificationMethod == "2" {
+		// Read From Vault
+		p = VaultPEMReader{certificationURL: viper.GetString("certificationURL"),
+			certificationToken: viper.GetString("certificationToken"),
+			certificationPath: viper.GetString("certificationPath"),
+			certificationCertFile: viper.GetString("certificationCertFile"),
+			certificationKeyFile: viper.GetString("certificationKeyFile"),
+			certificationCaCertFile: viper.GetString("certificationCaCertFile"),
+			certificationVereignCertFile: viper.GetString("certificationVereignCertFile"),
+			certificationVereignKeyFile: viper.GetString("certificationVereignKeyFile")}
+	}
+
 	// Print all config values to log file
 	log.Printf("All Settings From Config:")
 	as := viper.AllSettings()
 	for key, _ := range as {
 	    log.Printf("%s => %s", key, viper.GetString(key))
 	}
+}
+
+func GetCertificatePEM() []byte {
+	return p.readCertificatePEM()
+}
+
+func GetPrivateKeyPEM() []byte {
+	return p.readPrivateKeyPEM()
+}
+
+func GetCaCertificatePEM() []byte {
+	return p.readCaCertificatePEM()
+}
+
+func GetVereignCaCertificatePEM() []byte {
+	return p.readVereignCaCertificatePEM()
+}
+
+func GetVereignCaKeyPEM() []byte {
+	return p.readVereignCaKeyPEM()
 }
\ No newline at end of file

server/pem_reader.go

+package server
+
+import (
+	"log"
+	"io/ioutil"
+	vc "github.com/hashicorp/vault/api"
+)
+
+type PEMReader interface {
+	readCertificatePEM() []byte
+	readPrivateKeyPEM() []byte
+	readCaCertificatePEM() []byte
+	readVereignCaCertificatePEM() []byte
+	readVereignCaKeyPEM() []byte
+}
+
+type FilePEMReader struct {
+	certificationURL string
+	certificationToken string
+	certificationPath string
+	certificationCertFile string
+	certificationKeyFile string
+	certificationCaCertFile string
+	certificationVereignCertFile string
+	certificationVereignKeyFile string
+}
+
+func (f FilePEMReader) readCertificatePEM() []byte {
+	pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationCertFile)
+    if err != nil {
+		log.Printf("Error: %v", err)
+        return []byte("")
+    }
+	return pem
+}
+
+func (f FilePEMReader) readPrivateKeyPEM() []byte {
+    pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationKeyFile)
+    if err != nil {
+		log.Printf("Error: %v", err)
+        return []byte("")
+    }
+	return pem
+}
+
+func (f FilePEMReader) readCaCertificatePEM() []byte {
+    pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationCaCertFile)
+    if err != nil {
+		log.Printf("Error: %v", err)
+        return []byte("")
+    }
+	return pem
+}
+
+func (f FilePEMReader) readVereignCaCertificatePEM() []byte {
+    pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationVereignCertFile)
+    if err != nil {
+		log.Printf("Error: %v", err)
+        return []byte("")
+    }
+	return pem
+}
+
+func (f FilePEMReader) readVereignCaKeyPEM() []byte {
+    pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationVereignKeyFile)
+    if err != nil {
+		log.Printf("Error: %v", err)
+        return []byte("")
+    }
+	return pem
+}
+
+type VaultPEMReader struct {
+	certificationURL string
+	certificationToken string
+	certificationPath string
+	certificationCertFile string
+	certificationKeyFile string
+	certificationCaCertFile string
+	certificationVereignCertFile string
+	certificationVereignKeyFile string
+}
+
+func (v VaultPEMReader) readCertificatePEM() []byte {
+	client, err := vc.NewClient(&vc.Config{
+		Address: v.certificationURL,
+	})
+
+	if err != nil {
+		log.Printf("Error: VAULT Can't create client, %s", err)
+	}
+
+	client.SetToken(v.certificationToken)
+
+	keyname := v.certificationPath
+	secretValues, err := client.Logical().Read(keyname)
+	if err != nil {
+		log.Printf("Error: VAULT Can't read value, %s", err)
+	}
+	
+	pemMap := secretValues.Data["data"].(map[string]interface{})
+
+	for propName, propValue := range pemMap {
+		if propName == v.certificationCertFile {
+			return []byte(propValue.(string))
+		}
+	}
+	return []byte("")
+}
+
+func (v VaultPEMReader) readPrivateKeyPEM() []byte {
+	client, err := vc.NewClient(&vc.Config{
+		Address: v.certificationURL,
+	})
+
+	if err != nil {
+		log.Printf("Error: VAULT Can't create client, %s", err)
+	}
+
+	client.SetToken(v.certificationToken)
+
+	keyname := v.certificationPath
+	secretValues, err := client.Logical().Read(keyname)
+	if err != nil {
+		log.Printf("Error: VAULT Can't read value, %s", err)
+	}
+	
+	pemMap := secretValues.Data["data"].(map[string]interface{})
+
+	for propName, propValue := range pemMap {
+		if propName == v.certificationKeyFile {
+			return []byte(propValue.(string))
+		}
+	}
+	return []byte("")
+}
+
+func (v VaultPEMReader) readCaCertificatePEM() []byte {
+	client, err := vc.NewClient(&vc.Config{
+		Address: v.certificationURL,
+	})
+
+	if err != nil {
+		log.Printf("Error: VAULT Can't create client, %s", err)
+	}
+
+	client.SetToken(v.certificationToken)
+
+	keyname := v.certificationPath
+	secretValues, err := client.Logical().Read(keyname)
+	if err != nil {
+		log.Printf("Error: VAULT Can't read value, %s", err)
+	}
+	
+	pemMap := secretValues.Data["data"].(map[string]interface{})
+
+	for propName, propValue := range pemMap {
+		if propName == v.certificationCaCertFile {
+			return []byte(propValue.(string))
+		}
+	}
+	return []byte("")
+}
+
+func (v VaultPEMReader) readVereignCaCertificatePEM() []byte {
+	client, err := vc.NewClient(&vc.Config{
+		Address: v.certificationURL,
+	})
+
+	if err != nil {
+		log.Printf("Error: VAULT Can't create client, %s", err)
+	}
+
+	client.SetToken(v.certificationToken)
+
+	keyname := v.certificationPath
+	secretValues, err := client.Logical().Read(keyname)
+	if err != nil {
+		log.Printf("Error: VAULT Can't read value, %s", err)
+	}
+	
+	pemMap := secretValues.Data["data"].(map[string]interface{})
+
+	for propName, propValue := range pemMap {
+		if propName == v.certificationVereignCertFile {
+			return []byte(propValue.(string))
+		}
+	}
+	return []byte("")
+}
+
+func (v VaultPEMReader) readVereignCaKeyPEM() []byte {
+	client, err := vc.NewClient(&vc.Config{
+		Address: v.certificationURL,
+	})
+
+	if err != nil {
+		log.Printf("Error: VAULT Can't create client, %s", err)
+	}
+
+	client.SetToken(v.certificationToken)
+
+	keyname := v.certificationPath
+	secretValues, err := client.Logical().Read(keyname)
+	if err != nil {
+		log.Printf("Error: VAULT Can't read value, %s", err)
+	}
+	
+	pemMap := secretValues.Data["data"].(map[string]interface{})
+
+	for propName, propValue := range pemMap {
+		if propName == v.certificationVereignKeyFile {
+			return []byte(propValue.(string))
+		}
+	}
+	return []byte("")
+}
\ No newline at end of file

server/server.go

@@ -23,11 +23,10 @@ import (
 	"net"
 	"net/http"
 	"strings"
-
+	"crypto/x509"
+	"crypto/tls"
 	"github.com/grpc-ecosystem/grpc-gateway/runtime"
-
 	"golang.org/x/net/context"
-
 	"code.vereign.com/code/key-storage-agent/handler"
 	"code.vereign.com/code/key-storage-agent/session"
 	"code.vereign.com/code/viam-apis/authentication"
@@ -46,9 +45,9 @@ const (
 	clientIDKey contextKey = iota
 )
 
-var pkgCertFile string
-var pkgKeyFile string
-var pkgCaCertFile string
+var pkgCertPEM []byte
+var pkgKeyPEM []byte
+var pkgCaCertPEM []byte
 
 func credMatcher(headerName string) (mdName string, ok bool) {
 	if headerName == "Session" {
@@ -72,7 +71,7 @@ func authenticateClient(ctx context.Context, s *handler.KeyStorageServerImpl, in
 		}
 
 		sessionClient := &client.DataStorageClientImpl{}
-		sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageUrl"), pkgCertFile, pkgKeyFile, pkgCaCertFile, viper.GetInt("maxMessageSize"))
+		sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageUrl"), pkgCertPEM, pkgKeyPEM, pkgCaCertPEM, viper.GetInt("maxMessageSize"))
 		defer sessionClient.CloseClient()
 
 		if clientAuth.Uuid == viamAuth.Uuid {
@@ -110,10 +109,10 @@ func unaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServ
 	return handler1(ctx, req)
 }
 
-func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageAddress string, maxMessageSize int) error {
-	pkgCertFile = certFilePath
-	pkgKeyFile = privateKeyFilePath
-	pkgCaCertFile = caCertFilePath
+func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignCertPEM, vereignPrivateKeyPEM []byte, dataStorageAddress string, maxMessageSize int) error {
+	pkgCertPEM = certPEM
+	pkgKeyPEM = privateKeyPEM
+	pkgCaCertPEM = caCertPEM
 
 	// create a listener on TCP port
 	lis, err := net.Listen("tcp", address)
@@ -124,21 +123,40 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath,
 
 	// create a server instance
 	s := handler.KeyStorageServerImpl{
-		DataStorageUrl:            dataStorageAddress,
-		CertFilePath:              certFilePath,
-		KeyFilePath:			   privateKeyFilePath,
-		CaCertFilePath:			   caCertFilePath,
-		VereignCertFilePath:       vereignCertFilePath,
-		VereignPrivateKeyFilePath: vereignPrivateKeyFilePath,
-		MaxMessageSize:			   maxMessageSize,
+		DataStorageUrl:         dataStorageAddress,
+		CertPEM:              	certPEM,
+		KeyPEM:			   		privateKeyPEM,
+		CaCertPEM:			   	caCertPEM,
+		VereignCertPEM:       	vereignCertPEM,
+		VereignPrivateKeyPEM: 	vereignPrivateKeyPEM,
+		MaxMessageSize:			maxMessageSize,
 	}
 
-	// Create the TLS credentials
-	creds, err := credentials.NewServerTLSFromFile(certFilePath, privateKeyFilePath)
+	// Load the certificates from PEM Strings
+    certificate, err := tls.X509KeyPair(certPEM, privateKeyPEM)
+    
 	if err != nil {
 		log.Printf("Error: %v", err)
-		return fmt.Errorf("could not load TLS keys: %s", err)
+		return fmt.Errorf("could not load server key pair: %s", err)
+	}
+
+	// Create a certificate pool from the certificate authority
+    // Get the SystemCertPool, continue with an empty pool on error
+	certPool, _ := x509.SystemCertPool()
+	if certPool == nil {
+		certPool = x509.NewCertPool()
 	}
+	
+	if ok := certPool.AppendCertsFromPEM(caCertPEM); !ok {
+        return fmt.Errorf("failed to append server certs")
+    }
+
+    // Create the TLS credentials
+    creds := credentials.NewTLS(&tls.Config{
+    	//ClientAuth:   tls.RequireAndVerifyClientCert,
+    	Certificates: []tls.Certificate{certificate},
+    	ClientCAs:    certPool,
+    })
 
 	// Create an array of gRPC options with the credentials
 	opts := []grpc.ServerOption{
@@ -162,19 +180,25 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath,
 	return nil
 }
 
-func StartRESTServer(address, grpcAddress, certFile string) error {
+func StartRESTServer(address, grpcAddress string, certPEM []byte) error {
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
 	mux := runtime.NewServeMux(runtime.WithIncomingHeaderMatcher(credMatcher))
 
-	creds, err := credentials.NewClientTLSFromFile(certFile, "")
-	if err != nil {
-		log.Printf("Error: %v", err)
-		return fmt.Errorf("could not load TLS certificate: %s", err)
+	certPool, err := x509.SystemCertPool()
+	if certPool == nil {
+		certPool = x509.NewCertPool()
 	}
 
+	// Append the client certificates from the CA
+    if ok := certPool.AppendCertsFromPEM(certPEM); !ok {
+        return fmt.Errorf("failed to append client certs")
+    }
+
+	creds := credentials.NewClientTLSFromCert(certPool, "")
+
 	// Setup the client gRPC options
 	opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}