//Cloudogu EcoSystem Docs

Dogu authentication

The service cesappd provides certificates so that Dogus can communicate withcesappd in encrypted form.


The generation of the client and server certificate is carried out during the CES setup. This script is located in /usr/local/bin/ssl_cesappd_generate.sh inces-commons. It is also triggered when installing cesappd in thepostinst script if no certificates have been generated yet. If the FQDN is changed, the certificate is regenerated.


Private key: /etc/ces/cesappd/server.key

  • The key can only be read by the user root
  • Since the key is located under /etc/ces, it is saved by the backup mechanism

Server certificate: server.crt

  • The server certificate is located in the etcd under/config/_global/certificate/cesappd/server.crt

Client certificate: ca.pem

  • The server certificate is located in the etcd under /config/_global/certificate/cesappd/ca.pem



creds, _ := credentials.NewClientTLSFromFile(certFile, "")
conn, _ := grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))
// error handling omitted
client := pb.NewGreeterClient(conn)
// ...


creds, _ := credentials.NewServerTLSFromFile(certFile, keyFile)
s := grpc.NewServer(grpc.Creds(creds))
lis, _ := net.Listen("tcp", "localhost:50051")
// error handling omitted

Generate service accounts

With the command

cesappd service-account-create <dogu-name>

you can create a service account. The output will be printed to the console with the following format:

username: dogu-name_<8 random characters>
password: <16 random characters>