Merge pull request #24227 from ZhenLian/zhen_dynamic_file_reloading_3

C-core changes for TLS credentials
4 years ago · 4d80f376a3
parent e7e1cdb128 518ed1303c
commit 4d80f376a3
53 changed files with 1957 additions and 2177 deletions
--- a/5
+++ b/5
@ -252,6 +252,7 @@ GRPCXX_PUBLIC_HDRS = [
    "include/grpcpp/security/auth_metadata_processor.h",
    "include/grpcpp/security/credentials.h",
    "include/grpcpp/security/server_credentials.h",
    "include/grpcpp/security/tls_certificate_provider.h",
    "include/grpcpp/security/tls_credentials_options.h",
    "include/grpcpp/server.h",
    "include/grpcpp/server_builder.h",
@ -355,6 +356,7 @@ grpc_cc_library(
        "src/cpp/common/secure_auth_context.cc",
        "src/cpp/common/secure_channel_arguments.cc",
        "src/cpp/common/secure_create_auth_context.cc",
        "src/cpp/common/tls_certificate_provider.cc",
        "src/cpp/common/tls_credentials_options.cc",
        "src/cpp/common/tls_credentials_options_util.cc",
        "src/cpp/server/insecure_server_credentials.cc",
@ -1796,6 +1798,7 @@ grpc_cc_library(
        "src/core/lib/security/credentials/plugin/plugin_credentials.cc",
        "src/core/lib/security/credentials/ssl/ssl_credentials.cc",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc",
        "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc",
        "src/core/lib/security/credentials/tls/tls_credentials.cc",
        "src/core/lib/security/security_connector/alts/alts_security_connector.cc",
@ -1820,7 +1823,6 @@ grpc_cc_library(
    hdrs = [
        "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h",
        "src/core/ext/xds/xds_channel_args.h",
        "src/core/lib/security/certificate_provider.h",
        "src/core/lib/security/context/security_context.h",
        "src/core/lib/security/credentials/alts/alts_credentials.h",
        "src/core/lib/security/credentials/composite/composite_credentials.h",
@ -1838,6 +1840,7 @@ grpc_cc_library(
        "src/core/lib/security/credentials/plugin/plugin_credentials.h",
        "src/core/lib/security/credentials/ssl/ssl_credentials.h",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h",
        "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
        "src/core/lib/security/credentials/tls/tls_credentials.h",
        "src/core/lib/security/security_connector/alts/alts_security_connector.h",
--- a/BUILD.gn
+++ b/BUILD.gn
@ -976,7 +976,6 @@ config("grpc_config") {
        "src/core/lib/security/authorization/evaluate_args.h",
        "src/core/lib/security/authorization/mock_cel/activation.h",
        "src/core/lib/security/authorization/mock_cel/cel_value.h",
        "src/core/lib/security/certificate_provider.h",
        "src/core/lib/security/context/security_context.cc",
        "src/core/lib/security/context/security_context.h",
        "src/core/lib/security/credentials/alts/alts_credentials.cc",
@ -1023,6 +1022,8 @@ config("grpc_config") {
        "src/core/lib/security/credentials/ssl/ssl_credentials.h",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc",
        "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h",
        "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc",
        "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
        "src/core/lib/security/credentials/tls/tls_credentials.cc",
@ -1376,6 +1377,7 @@ config("grpc_config") {
        "include/grpcpp/security/auth_metadata_processor.h",
        "include/grpcpp/security/credentials.h",
        "include/grpcpp/security/server_credentials.h",
        "include/grpcpp/security/tls_certificate_provider.h",
        "include/grpcpp/security/tls_credentials_options.h",
        "include/grpcpp/server.h",
        "include/grpcpp/server_builder.h",
@ -1430,6 +1432,7 @@ config("grpc_config") {
        "src/cpp/common/secure_auth_context.h",
        "src/cpp/common/secure_channel_arguments.cc",
        "src/cpp/common/secure_create_auth_context.cc",
        "src/cpp/common/tls_certificate_provider.cc",
        "src/cpp/common/tls_credentials_options.cc",
        "src/cpp/common/tls_credentials_options_util.cc",
        "src/cpp/common/tls_credentials_options_util.h",
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -908,6 +908,7 @@ if(gRPC_BUILD_TESTS)
  endif()
  add_dependencies(buildtests_cxx string_ref_test)
  add_dependencies(buildtests_cxx test_cpp_client_credentials_test)
  add_dependencies(buildtests_cxx test_cpp_server_credentials_test)
  add_dependencies(buildtests_cxx test_cpp_util_slice_test)
  add_dependencies(buildtests_cxx test_cpp_util_time_test)
  add_dependencies(buildtests_cxx thread_manager_test)
@ -1852,6 +1853,7 @@ add_library(grpc
  src/core/lib/security/credentials/plugin/plugin_credentials.cc
  src/core/lib/security/credentials/ssl/ssl_credentials.cc
  src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc
  src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
  src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
  src/core/lib/security/credentials/tls/tls_credentials.cc
  src/core/lib/security/credentials/xds/xds_credentials.cc
@ -2671,6 +2673,7 @@ add_library(grpc++
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_credentials_options.cc
  src/cpp/common/tls_credentials_options_util.cc
  src/cpp/common/validate_service_config.cc
@ -2893,6 +2896,7 @@ foreach(_hdr
  include/grpcpp/security/auth_metadata_processor.h
  include/grpcpp/security/credentials.h
  include/grpcpp/security/server_credentials.h
  include/grpcpp/security/tls_certificate_provider.h
  include/grpcpp/security/tls_credentials_options.h
  include/grpcpp/server.h
  include/grpcpp/server_builder.h
@ -3562,6 +3566,7 @@ foreach(_hdr
  include/grpcpp/security/auth_metadata_processor.h
  include/grpcpp/security/credentials.h
  include/grpcpp/security/server_credentials.h
  include/grpcpp/security/tls_certificate_provider.h
  include/grpcpp/security/tls_credentials_options.h
  include/grpcpp/server.h
  include/grpcpp/server_builder.h
@ -14572,6 +14577,46 @@ target_link_libraries(test_cpp_client_credentials_test
 )
 endif()
 if(gRPC_BUILD_TESTS)
 add_executable(test_cpp_server_credentials_test
  test/cpp/server/credentials_test.cc
  third_party/googletest/googletest/src/gtest-all.cc
  third_party/googletest/googlemock/src/gmock-all.cc
 )
 target_include_directories(test_cpp_server_credentials_test
  PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}
    ${CMAKE_CURRENT_SOURCE_DIR}/include
    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
    ${_gRPC_RE2_INCLUDE_DIR}
    ${_gRPC_SSL_INCLUDE_DIR}
    ${_gRPC_UPB_GENERATED_DIR}
    ${_gRPC_UPB_GRPC_GENERATED_DIR}
    ${_gRPC_UPB_INCLUDE_DIR}
    ${_gRPC_ZLIB_INCLUDE_DIR}
    third_party/googletest/googletest/include
    third_party/googletest/googletest
    third_party/googletest/googlemock/include
    third_party/googletest/googlemock
    ${_gRPC_PROTO_GENS_DIR}
 )
 target_link_libraries(test_cpp_server_credentials_test
  ${_gRPC_PROTOBUF_LIBRARIES}
  ${_gRPC_ALLTARGETS_LIBRARIES}
  grpc_test_util
  grpc++
  grpc
  gpr
  address_sorting
  upb
  ${_gRPC_GFLAGS_LIBRARIES}
 )
 endif()
 if(gRPC_BUILD_TESTS)
--- a/6
+++ b/6
@ -2265,6 +2265,7 @@ LIBGRPC_SRC = \
    src/core/lib/security/credentials/plugin/plugin_credentials.cc \
    src/core/lib/security/credentials/ssl/ssl_credentials.cc \
    src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc \
    src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
    src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
    src/core/lib/security/credentials/tls/tls_credentials.cc \
    src/core/lib/security/credentials/xds/xds_credentials.cc \
@ -2844,6 +2845,7 @@ LIBGRPC++_SRC = \
    src/cpp/common/secure_auth_context.cc \
    src/cpp/common/secure_channel_arguments.cc \
    src/cpp/common/secure_create_auth_context.cc \
    src/cpp/common/tls_certificate_provider.cc \
    src/cpp/common/tls_credentials_options.cc \
    src/cpp/common/tls_credentials_options_util.cc \
    src/cpp/common/validate_service_config.cc \
@ -3026,6 +3028,7 @@ PUBLIC_HEADERS_CXX += \
    include/grpcpp/security/auth_metadata_processor.h \
    include/grpcpp/security/credentials.h \
    include/grpcpp/security/server_credentials.h \
    include/grpcpp/security/tls_certificate_provider.h \
    include/grpcpp/security/tls_credentials_options.h \
    include/grpcpp/server.h \
    include/grpcpp/server_builder.h \
@ -3540,6 +3543,7 @@ PUBLIC_HEADERS_CXX += \
    include/grpcpp/security/auth_metadata_processor.h \
    include/grpcpp/security/credentials.h \
    include/grpcpp/security/server_credentials.h \
    include/grpcpp/security/tls_certificate_provider.h \
    include/grpcpp/security/tls_credentials_options.h \
    include/grpcpp/server.h \
    include/grpcpp/server_builder.h \
@ -4801,6 +4805,7 @@ src/core/lib/security/credentials/oauth2/oauth2_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/plugin/plugin_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/ssl/ssl_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
@ -4858,6 +4863,7 @@ src/cpp/common/auth_property_iterator.cc: $(OPENSSL_DEP)
 src/cpp/common/secure_auth_context.cc: $(OPENSSL_DEP)
 src/cpp/common/secure_channel_arguments.cc: $(OPENSSL_DEP)
 src/cpp/common/secure_create_auth_context.cc: $(OPENSSL_DEP)
 src/cpp/common/tls_certificate_provider.cc: $(OPENSSL_DEP)
 src/cpp/common/tls_credentials_options.cc: $(OPENSSL_DEP)
 src/cpp/common/tls_credentials_options_util.cc: $(OPENSSL_DEP)
 src/cpp/ext/proto_server_reflection.cc: $(OPENSSL_DEP)
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -748,7 +748,6 @@ libs:
  - src/core/lib/security/authorization/evaluate_args.h
  - src/core/lib/security/authorization/mock_cel/activation.h
  - src/core/lib/security/authorization/mock_cel/cel_value.h
  - src/core/lib/security/certificate_provider.h
  - src/core/lib/security/context/security_context.h
  - src/core/lib/security/credentials/alts/alts_credentials.h
  - src/core/lib/security/credentials/alts/check_gcp_environment.h
@ -768,6 +767,7 @@ libs:
  - src/core/lib/security/credentials/plugin/plugin_credentials.h
  - src/core/lib/security/credentials/ssl/ssl_credentials.h
  - src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h
  - src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
  - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
  - src/core/lib/security/credentials/tls/tls_credentials.h
  - src/core/lib/security/credentials/xds/xds_credentials.h
@ -1280,6 +1280,7 @@ libs:
  - src/core/lib/security/credentials/plugin/plugin_credentials.cc
  - src/core/lib/security/credentials/ssl/ssl_credentials.cc
  - src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc
  - src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
  - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
  - src/core/lib/security/credentials/tls/tls_credentials.cc
  - src/core/lib/security/credentials/xds/xds_credentials.cc
@ -2249,6 +2250,7 @@ libs:
  - include/grpcpp/security/auth_metadata_processor.h
  - include/grpcpp/security/credentials.h
  - include/grpcpp/security/server_credentials.h
  - include/grpcpp/security/tls_certificate_provider.h
  - include/grpcpp/security/tls_credentials_options.h
  - include/grpcpp/server.h
  - include/grpcpp/server_builder.h
@ -2312,6 +2314,7 @@ libs:
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_credentials_options.cc
  - src/cpp/common/tls_credentials_options_util.cc
  - src/cpp/common/validate_service_config.cc
@ -2611,6 +2614,7 @@ libs:
  - include/grpcpp/security/auth_metadata_processor.h
  - include/grpcpp/security/credentials.h
  - include/grpcpp/security/server_credentials.h
  - include/grpcpp/security/tls_certificate_provider.h
  - include/grpcpp/security/tls_credentials_options.h
  - include/grpcpp/server.h
  - include/grpcpp/server_builder.h
@ -7449,6 +7453,20 @@ targets:
  - gpr
  - address_sorting
  - upb
 - name: test_cpp_server_credentials_test
  gtest: true
  build: test
  language: c++
  headers: []
  src:
  - test/cpp/server/credentials_test.cc
  deps:
  - grpc_test_util
  - grpc++
  - grpc
  - gpr
  - address_sorting
  - upb
 - name: test_cpp_util_slice_test
  gtest: true
  build: test
--- a/config.m4
+++ b/config.m4
@ -512,6 +512,7 @@ if test "$PHP_GRPC" != "no"; then
    src/core/lib/security/credentials/plugin/plugin_credentials.cc \
    src/core/lib/security/credentials/ssl/ssl_credentials.cc \
    src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc \
    src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
    src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
    src/core/lib/security/credentials/tls/tls_credentials.cc \
    src/core/lib/security/credentials/xds/xds_credentials.cc \
--- a/config.w32
+++ b/config.w32
@ -479,6 +479,7 @@ if (PHP_GRPC != "no") {
    "src\\core\\lib\\security\\credentials\\plugin\\plugin_credentials.cc " +
    "src\\core\\lib\\security\\credentials\\ssl\\ssl_credentials.cc " +
    "src\\core\\lib\\security\\credentials\\tls\\grpc_tls_certificate_distributor.cc " +
    "src\\core\\lib\\security\\credentials\\tls\\grpc_tls_certificate_provider.cc " +
    "src\\core\\lib\\security\\credentials\\tls\\grpc_tls_credentials_options.cc " +
    "src\\core\\lib\\security\\credentials\\tls\\tls_credentials.cc " +
    "src\\core\\lib\\security\\credentials\\xds\\xds_credentials.cc " +
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@ -150,6 +150,7 @@ Pod::Spec.new do |s|
                      'include/grpcpp/security/auth_metadata_processor.h',
                      'include/grpcpp/security/credentials.h',
                      'include/grpcpp/security/server_credentials.h',
                      'include/grpcpp/security/tls_certificate_provider.h',
                      'include/grpcpp/security/tls_credentials_options.h',
                      'include/grpcpp/server.h',
                      'include/grpcpp/server_builder.h',
@ -596,7 +597,6 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/authorization/evaluate_args.h',
                      'src/core/lib/security/authorization/mock_cel/activation.h',
                      'src/core/lib/security/authorization/mock_cel/cel_value.h',
                      'src/core/lib/security/certificate_provider.h',
                      'src/core/lib/security/context/security_context.h',
                      'src/core/lib/security/credentials/alts/alts_credentials.h',
                      'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@ -616,6 +616,7 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/credentials/plugin/plugin_credentials.h',
                      'src/core/lib/security/credentials/ssl/ssl_credentials.h',
                      'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h',
                      'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
                      'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                      'src/core/lib/security/credentials/tls/tls_credentials.h',
                      'src/core/lib/security/credentials/xds/xds_credentials.h',
@ -723,6 +724,7 @@ Pod::Spec.new do |s|
                      'src/cpp/common/secure_auth_context.h',
                      'src/cpp/common/secure_channel_arguments.cc',
                      'src/cpp/common/secure_create_auth_context.cc',
                      'src/cpp/common/tls_certificate_provider.cc',
                      'src/cpp/common/tls_credentials_options.cc',
                      'src/cpp/common/tls_credentials_options_util.cc',
                      'src/cpp/common/tls_credentials_options_util.h',
@ -1195,7 +1197,6 @@ Pod::Spec.new do |s|
                              'src/core/lib/security/authorization/evaluate_args.h',
                              'src/core/lib/security/authorization/mock_cel/activation.h',
                              'src/core/lib/security/authorization/mock_cel/cel_value.h',
                              'src/core/lib/security/certificate_provider.h',
                              'src/core/lib/security/context/security_context.h',
                              'src/core/lib/security/credentials/alts/alts_credentials.h',
                              'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@ -1215,6 +1216,7 @@ Pod::Spec.new do |s|
                              'src/core/lib/security/credentials/plugin/plugin_credentials.h',
                              'src/core/lib/security/credentials/ssl/ssl_credentials.h',
                              'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h',
                              'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
                              'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                              'src/core/lib/security/credentials/tls/tls_credentials.h',
                              'src/core/lib/security/credentials/xds/xds_credentials.h',
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@ -1033,7 +1033,6 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/authorization/evaluate_args.h',
                      'src/core/lib/security/authorization/mock_cel/activation.h',
                      'src/core/lib/security/authorization/mock_cel/cel_value.h',
                      'src/core/lib/security/certificate_provider.h',
                      'src/core/lib/security/context/security_context.cc',
                      'src/core/lib/security/context/security_context.h',
                      'src/core/lib/security/credentials/alts/alts_credentials.cc',
@ -1080,6 +1079,8 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/credentials/ssl/ssl_credentials.h',
                      'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc',
                      'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h',
                      'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc',
                      'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
                      'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
                      'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                      'src/core/lib/security/credentials/tls/tls_credentials.cc',
@ -1720,7 +1721,6 @@ Pod::Spec.new do |s|
                              'src/core/lib/security/authorization/evaluate_args.h',
                              'src/core/lib/security/authorization/mock_cel/activation.h',
                              'src/core/lib/security/authorization/mock_cel/cel_value.h',
                              'src/core/lib/security/certificate_provider.h',
                              'src/core/lib/security/context/security_context.h',
                              'src/core/lib/security/credentials/alts/alts_credentials.h',
                              'src/core/lib/security/credentials/alts/check_gcp_environment.h',
@ -1740,6 +1740,7 @@ Pod::Spec.new do |s|
                              'src/core/lib/security/credentials/plugin/plugin_credentials.h',
                              'src/core/lib/security/credentials/ssl/ssl_credentials.h',
                              'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h',
                              'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
                              'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                              'src/core/lib/security/credentials/tls/tls_credentials.h',
                              'src/core/lib/security/credentials/xds/xds_credentials.h',
--- a/grpc.def
+++ b/grpc.def
@ -135,18 +135,22 @@ EXPORTS
    grpc_alts_server_credentials_create
    grpc_local_credentials_create
    grpc_local_server_credentials_create
    grpc_tls_identity_pairs_create
    grpc_tls_identity_pairs_add_pair
    grpc_tls_identity_pairs_destroy
    grpc_tls_certificate_provider_static_data_create
    grpc_tls_certificate_provider_release
    grpc_tls_credentials_options_create
    grpc_tls_credentials_options_set_cert_request_type
    grpc_tls_credentials_options_set_server_verification_option
-    grpc_tls_credentials_options_set_key_materials_config
+    grpc_tls_credentials_options_set_certificate_provider
-    grpc_tls_credentials_options_set_credential_reload_config
+    grpc_tls_credentials_options_watch_root_certs
    grpc_tls_credentials_options_set_root_cert_name
    grpc_tls_credentials_options_watch_identity_key_cert_pairs
    grpc_tls_credentials_options_set_identity_cert_name
    grpc_tls_credentials_options_set_server_authorization_check_config
    grpc_tls_key_materials_config_create
    grpc_tls_key_materials_config_set_key_materials
    grpc_tls_key_materials_config_set_version
    grpc_tls_key_materials_config_get_version
    grpc_tls_credential_reload_config_create
    grpc_tls_server_authorization_check_config_create
    grpc_tls_server_authorization_check_config_release
    grpc_xds_credentials_create
    grpc_raw_byte_buffer_create
    grpc_raw_compressed_byte_buffer_create
--- a/grpc.gemspec
+++ b/grpc.gemspec
@ -951,7 +951,6 @@ Gem::Specification.new do |s|
  s.files += %w( src/core/lib/security/authorization/evaluate_args.h )
  s.files += %w( src/core/lib/security/authorization/mock_cel/activation.h )
  s.files += %w( src/core/lib/security/authorization/mock_cel/cel_value.h )
  s.files += %w( src/core/lib/security/certificate_provider.h )
  s.files += %w( src/core/lib/security/context/security_context.cc )
  s.files += %w( src/core/lib/security/context/security_context.h )
  s.files += %w( src/core/lib/security/credentials/alts/alts_credentials.cc )
@ -998,6 +997,8 @@ Gem::Specification.new do |s|
  s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.h )
  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc )
  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h )
  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc )
  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h )
  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc )
  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h )
  s.files += %w( src/core/lib/security/credentials/tls/tls_credentials.cc )
--- a/grpc.gyp
+++ b/grpc.gyp
@ -875,6 +875,7 @@
        'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
        'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
        'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc',
        'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc',
        'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
        'src/core/lib/security/credentials/tls/tls_credentials.cc',
        'src/core/lib/security/credentials/xds/xds_credentials.cc',
@ -1403,6 +1404,7 @@
        'src/cpp/common/secure_auth_context.cc',
        'src/cpp/common/secure_channel_arguments.cc',
        'src/cpp/common/secure_create_auth_context.cc',
        'src/cpp/common/tls_certificate_provider.cc',
        'src/cpp/common/tls_credentials_options.cc',
        'src/cpp/common/tls_credentials_options_util.cc',
        'src/cpp/common/validate_service_config.cc',
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@ -743,183 +743,156 @@ GRPCAPI grpc_server_credentials* grpc_local_server_credentials_create(
 *  experimental purpose for now and subject to change. */
 typedef struct grpc_tls_error_details grpc_tls_error_details;
 /** Config for TLS key materials. It is used for
 *  experimental purpose for now and subject to change. */
 typedef struct grpc_tls_key_materials_config grpc_tls_key_materials_config;
 /** Config for TLS credential reload. It is used for
 *  experimental purpose for now and subject to change. */
 typedef struct grpc_tls_credential_reload_config
    grpc_tls_credential_reload_config;
 /** Config for TLS server authorization check. It is used for
 *  experimental purpose for now and subject to change. */
 typedef struct grpc_tls_server_authorization_check_config
    grpc_tls_server_authorization_check_config;
-/** TLS credentials options. It is used for
+/**
- *  experimental purpose for now and subject to change. */
+ * A struct that can be specified by callers to configure underlying TLS
 * behaviors. It is used for experimental purpose for now and subject to change.
 */
 typedef struct grpc_tls_credentials_options grpc_tls_credentials_options;
-/** Create an empty TLS credentials options. It is used for
+/**
- *  experimental purpose for now and subject to change. */
+ * A struct provides ways to gain credential data that will be used in the TLS
 * handshake. It is used for experimental purpose for now and subject to change.
 */
 typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
 /**
 * A struct that stores the credential data presented to the peer in handshake
 * to show local identity. It is used for experimental purpose for now and
 * subject to change.
 */
 typedef struct grpc_tls_identity_pairs grpc_tls_identity_pairs;
 /**
 * Creates a grpc_tls_identity_pairs that stores a list of identity credential
 * data, including identity private key and identity certificate chain. It is
 * used for experimental purpose for now and subject to change.
 */
 GRPCAPI grpc_tls_identity_pairs* grpc_tls_identity_pairs_create();
 /**
 * Adds a identity private key and a identity certificate chain to
 * grpc_tls_identity_pairs. This function will make an internal copy of
 * |private_key| and |cert_chain|. It is used for experimental purpose for now
 * and subject to change.
 */
 GRPCAPI void grpc_tls_identity_pairs_add_pair(grpc_tls_identity_pairs* pairs,
                                              const char* private_key,
                                              const char* cert_chain);
 /**
 * Destroys a grpc_tls_identity_pairs object. If this object is passed to a
 * provider initiation function, the ownership is transferred so this function
 * doesn't need to be called. Otherwise the creator of the
 * grpc_tls_identity_pairs object is responsible for its destruction. It is
 * used for experimental purpose for now and subject to change.
 */
 GRPCAPI void grpc_tls_identity_pairs_destroy(grpc_tls_identity_pairs* pairs);
 /**
 * Creates a grpc_tls_certificate_provider that will load credential data from
 * static string during initialization. This provider will always return the
 * same cert data for all cert names.
 * root_certificate and pem_key_cert_pairs can be nullptr, indicating the
 * corresponding credential data is not needed.
 * This function will make a copy of |root_certificate|.
 * The ownership of |pem_key_cert_pairs| is transferred.
 * It is used for experimental purpose for now and subject to change.
 */
 GRPCAPI grpc_tls_certificate_provider*
 grpc_tls_certificate_provider_static_data_create(
    const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs);
 /**
 * Releases a grpc_tls_certificate_provider object. The creator of the
 * grpc_tls_certificate_provider object is responsible for its release. It is
 * used for experimental purpose for now and subject to change.
 */
 GRPCAPI void grpc_tls_certificate_provider_release(
    grpc_tls_certificate_provider* provider);
 /**
 * Creates an grpc_tls_credentials_options.
 * It is used for experimental purpose for now and subject to change.
 */
 GRPCAPI grpc_tls_credentials_options* grpc_tls_credentials_options_create(void);
-/** Set grpc_ssl_client_certificate_request_type field in credentials options
+/**
-    with the provided type. options should not be NULL.
+ * Sets the options of whether to request and verify client certs. This should
-    It returns 1 on success and 0 on failure. It is used for
+ * be called only on the server side. It returns 1 on success and 0 on failure.
-    experimental purpose for now and subject to change. */
+ * It is used for experimental purpose for now and subject to change.
-GRPCAPI int grpc_tls_credentials_options_set_cert_request_type(
+ */
 GRPCAPI void grpc_tls_credentials_options_set_cert_request_type(
    grpc_tls_credentials_options* options,
    grpc_ssl_client_certificate_request_type type);
-/** Set grpc_tls_server_verification_option field in credentials options
+/**
-    with the provided server_verification_option. options should not be NULL.
+ * Sets the options of whether to choose certain checks, e.g. certificate check,
-    This should be called only on the client side.
+ * hostname check, etc. This should be called only on the client side. If
-    If grpc_tls_server_verification_option is not
+ * |server_verification_option| is not GRPC_TLS_SERVER_VERIFICATION, use of a
-    GRPC_TLS_SERVER_VERIFICATION, use of a customer server
+ * custom authorization check (grpc_tls_server_authorization_check_config) is
-    authorization check (grpc_tls_server_authorization_check_config)
+ * mandatory. It returns 1 on success and 0 on failure. It is used for
-    will be mandatory.
+ * experimental purpose for now and subject to change.
-    It returns 1 on success and 0 on failure. It is used for
+ */
-    experimental purpose for now and subject to change. */
+GRPCAPI void grpc_tls_credentials_options_set_server_verification_option(
 GRPCAPI int grpc_tls_credentials_options_set_server_verification_option(
    grpc_tls_credentials_options* options,
    grpc_tls_server_verification_option server_verification_option);
-/** Set grpc_tls_key_materials_config field in credentials options
+/**
-    with the provided config struct whose ownership is transferred.
+ * Sets the credential provider in the options.
-    Both parameters should not be NULL.
+ * The |options| will implicitly take a new ref to the |provider|.
-    It returns 1 on success and 0 on failure. It is used for
+ * It returns 1 on success and 0 on failure.
-    experimental purpose for now and subject to change. */
+ * It is used for experimental purpose for now and subject to change.
-GRPCAPI int grpc_tls_credentials_options_set_key_materials_config(
+ */
-    grpc_tls_credentials_options* options,
+GRPCAPI void grpc_tls_credentials_options_set_certificate_provider(
    grpc_tls_key_materials_config* config);
 /** Set grpc_tls_credential_reload_config field in credentials options
    with the provided config struct whose ownership is transferred.
    Both parameters should not be NULL.
    It returns 1 on success and 0 on failure. It is used for
    experimental purpose for now and subject to change. */
 GRPCAPI int grpc_tls_credentials_options_set_credential_reload_config(
    grpc_tls_credentials_options* options,
    grpc_tls_credential_reload_config* config);
 /** Set grpc_tls_server_authorization_check_config field in credentials options
    with the provided config struct whose ownership is transferred.
    Both parameters should not be NULL.
    It returns 1 on success and 0 on failure. It is used for
    experimental purpose for now and subject to change. */
 GRPCAPI int grpc_tls_credentials_options_set_server_authorization_check_config(
    grpc_tls_credentials_options* options,
-    grpc_tls_server_authorization_check_config* config);
+    grpc_tls_certificate_provider* provider);
-/** --- TLS key materials config. ---
+/**
-    It is used for experimental purpose for now and subject to change. */
+ * If set, gRPC stack will keep watching the root certificates with
 * name |root_cert_name|. It returns 1 on success and 0 on failure. It is used
 * for experimental purpose for now and subject to change.
 */
 GRPCAPI void grpc_tls_credentials_options_watch_root_certs(
    grpc_tls_credentials_options* options);
-/** Create an empty grpc_tls_key_materials_config instance.
+/**
- *  It is used for experimental purpose for now and subject to change. */
+ * Sets the name of the root certificates being watched.
-GRPCAPI grpc_tls_key_materials_config* grpc_tls_key_materials_config_create(
+ * If not set, We will use a default empty string as the root certificate name.
-    void);
+ * It is used for experimental purpose for now and subject to change.
 /** Set grpc_tls_key_materials_config instance with provided a TLS certificate.
    It's valid for the caller to provide nullptr pem_root_certs, in which case
    the gRPC-provided root cert will be used. pem_key_cert_pairs should not be
    NULL.
    The ownerships of |pem_root_certs| and |pem_key_cert_pairs| remain with the
    caller.
    It returns 1 on success and 0 on failure. It is used for experimental
    purpose for now and subject to change.
 */
-GRPCAPI int grpc_tls_key_materials_config_set_key_materials(
+GRPCAPI void grpc_tls_credentials_options_set_root_cert_name(
-    grpc_tls_key_materials_config* config, const char* pem_root_certs,
+    grpc_tls_credentials_options* options, const char* root_cert_name);
    const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
    size_t num_key_cert_pairs);
-/** Set grpc_tls_key_materials_config instance with a provided version number,
+/**
-    which is used to keep track of the version of key materials.
+ * If set, gRPC stack will keep watching the identity key-cert pairs
-    It returns 1 on success and 0 on failure. It is used for
+ * with name |identity_cert_name|. It returns 1 on success and 0 on failure. It
-    experimental purpose for now and subject to change.
+ * is used for experimental purpose for now and subject to change.
 */
-GRPCAPI int grpc_tls_key_materials_config_set_version(
+GRPCAPI void grpc_tls_credentials_options_watch_identity_key_cert_pairs(
-    grpc_tls_key_materials_config* config, int version);
+    grpc_tls_credentials_options* options);
-/** Get the version number of a grpc_tls_key_materials_config instance.
+/**
-    It returns the version number on success and -1 on failure.
+ * Sets the name of the identity certificates being watched.
-    It is used for experimental purpose for now and subject to change.
+ * If not set, We will use a default empty string as the identity certificate
 * name. It is used for experimental purpose for now and subject to change.
 */
-GRPCAPI int grpc_tls_key_materials_config_get_version(
+GRPCAPI void grpc_tls_credentials_options_set_identity_cert_name(
-    grpc_tls_key_materials_config* config);
+    grpc_tls_credentials_options* options, const char* identity_cert_name);
 /** --- TLS credential reload config. ---
    It is used for experimental purpose for now and subject to change.*/
 typedef struct grpc_tls_credential_reload_arg grpc_tls_credential_reload_arg;
 /** A callback function provided by gRPC to handle the result of credential
    reload. It is used when schedule API is implemented asynchronously and
    serves to bring the control back to grpc C core. It is used for
    experimental purpose for now and subject to change. */
 typedef void (*grpc_tls_on_credential_reload_done_cb)(
    grpc_tls_credential_reload_arg* arg);
 /** A struct containing all information necessary to schedule/cancel a
    credential reload request.
    - cb and cb_user_data represent a gRPC-provided
      callback and an argument passed to it.
    - key_materials_config is an in/output parameter containing currently
      used/newly reloaded credentials. If credential reload does not result in
      a new credential, key_materials_config should not be modified. The same
      key_materials_config object can be updated if new key materials is
      available.
    - status and error_details are used to hold information about
      errors occurred when a credential reload request is scheduled/cancelled.
    - config is a pointer to the unique grpc_tls_credential_reload_config
      instance that this argument corresponds to.
    - context is a pointer to a wrapped language implementation of this
      grpc_tls_credential_reload_arg instance.
    - destroy_context is a pointer to a caller-provided method that cleans
      up any data associated with the context pointer.
    It is used for experimental purposes for now and subject to change.
 */
 struct grpc_tls_credential_reload_arg {
  grpc_tls_on_credential_reload_done_cb cb;
  void* cb_user_data;
  grpc_tls_key_materials_config* key_materials_config;
  grpc_ssl_certificate_config_reload_status status;
  grpc_tls_error_details* error_details;
  grpc_tls_credential_reload_config* config;
  void* context;
  void (*destroy_context)(void* ctx);
 };
-/** Create a grpc_tls_credential_reload_config instance.
+/**
-    - config_user_data is config-specific, read-only user data
+ * Sets the configuration for a custom authorization check performed at the end
-      that works for all channels created with a credential using the config.
+ * of the handshake. The |options| will implicitly take a new ref to the
-    - schedule is a pointer to an application-provided callback used to invoke
+ * |config|. It returns 1 on success and 0 on failure. It is used for
-      credential reload API. The implementation of this method has to be
+ * experimental purpose for now and subject to change.
-      non-blocking, but can be performed synchronously or asynchronously.
+ */
-      1) If processing occurs synchronously, it populates
+GRPCAPI void grpc_tls_credentials_options_set_server_authorization_check_config(
-      arg->key_materials_config, arg->status, and arg->error_details
+    grpc_tls_credentials_options* options,
-      and returns zero.
+    grpc_tls_server_authorization_check_config* config);
      2) If processing occurs asynchronously, it returns a non-zero value.
      The application then invokes arg->cb when processing is completed. Note
      that arg->cb cannot be invoked before schedule API returns.
    - cancel is a pointer to an application-provided callback used to cancel
      a credential reload request scheduled via an asynchronous schedule API.
      arg is used to pinpoint an exact reloading request to be cancelled.
      The operation may not have any effect if the request has already been
      processed.
    - destruct is a pointer to an application-provided callback used to clean up
      any data associated with the config.
    It is used for experimental purpose for now and subject to change.
 */
 GRPCAPI grpc_tls_credential_reload_config*
 grpc_tls_credential_reload_config_create(
    const void* config_user_data,
    int (*schedule)(void* config_user_data,
                    grpc_tls_credential_reload_arg* arg),
    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
    void (*destruct)(void* config_user_data));
 /** --- TLS server authorization check config. ---
 *  It is used for experimental purpose for now and subject to change. */
@ -1000,31 +973,28 @@ grpc_tls_server_authorization_check_config_create(
    void (*destruct)(void* config_user_data));
 /**
- * This method creates a TLS channel credential object.
+ * Releases a grpc_tls_server_authorization_check_config object. The creator of
- * It takes ownership of the options parameter. The security level
+ * the grpc_tls_server_authorization_check_config object is responsible for its
- * of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY.
+ * release. It is used for experimental purpose for now and subject to change.
 *
 * - options: grpc TLS credentials options instance.
 *
 * It returns the created credential object.
 *
 * It is used for experimental purpose for now and subject
 * to change.
 */
 GRPCAPI void grpc_tls_server_authorization_check_config_release(
    grpc_tls_server_authorization_check_config* config);
 /**
 * Creates a TLS channel credential object based on the
 * grpc_tls_credentials_options specified by callers. The
 * grpc_channel_credentials will take the ownership of the |options|. The
 * security level of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY. It
 * is used for experimental purpose for now and subject to change.
 */
 grpc_channel_credentials* grpc_tls_credentials_create(
    grpc_tls_credentials_options* options);
 /**
- * This method creates a TLS server credential object.
+ * Creates a TLS server credential object based on the
- * It takes ownership of the options parameter.
+ * grpc_tls_credentials_options specified by callers. The
- *
+ * grpc_server_credentials will take the ownership of the |options|. It
- * - options: grpc TLS credentials options instance.
+ * is used for experimental purpose for now and subject to change.
 *
 * It returns the created credential object.
 *
 * It is used for experimental purpose for now and subject
 * to change.
 */
 grpc_server_credentials* grpc_tls_server_credentials_create(
    grpc_tls_credentials_options* options);
--- a/include/grpcpp/security/credentials.h
+++ b/include/grpcpp/security/credentials.h
@ -329,7 +329,7 @@ std::shared_ptr<ChannelCredentials> LocalCredentials(
 /// Builds TLS Credentials given TLS options.
 std::shared_ptr<ChannelCredentials> TlsCredentials(
-    const TlsCredentialsOptions& options);
+    const TlsChannelCredentialsOptions& options);
 }  // namespace experimental
 }  // namespace grpc
--- a/include/grpcpp/security/server_credentials.h
+++ b/include/grpcpp/security/server_credentials.h
@ -105,7 +105,7 @@ std::shared_ptr<ServerCredentials> LocalServerCredentials(
 /// Builds TLS ServerCredentials given TLS options.
 std::shared_ptr<ServerCredentials> TlsServerCredentials(
-    const experimental::TlsCredentialsOptions& options);
+    const experimental::TlsServerCredentialsOptions& options);
 }  // namespace experimental
 }  // namespace grpc
--- a/include/grpcpp/security/tls_certificate_provider.h
+++ b/include/grpcpp/security/tls_certificate_provider.h
@ -0,0 +1,80 @@
 //
 // Copyright 2020 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
 #include <grpc/grpc_security_constants.h>
 #include <grpc/status.h>
 #include <grpc/support/log.h>
 #include <grpcpp/impl/codegen/grpc_library.h>
 #include <grpcpp/support/config.h>
 #include <memory>
 #include <vector>
 // TODO(yihuazhang): remove the forward declaration here and include
 // <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
 typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
 namespace grpc {
 namespace experimental {
 // Interface for a class that handles the process to fetch credential data.
 // Implementations should be a wrapper class of an internal provider
 // implementation.
 class CertificateProviderInterface {
 public:
  virtual ~CertificateProviderInterface() = default;
  virtual grpc_tls_certificate_provider* c_provider() = 0;
 };
 // A struct that stores the credential data presented to the peer in handshake
 // to show local identity. The private_key and certificate_chain should always
 // match.
 struct IdentityKeyCertPair {
  std::string private_key;
  std::string certificate_chain;
 };
 // A basic CertificateProviderInterface implementation that will load credential
 // data from static string during initialization. This provider will always
 // return the same cert data for all cert names, and reloading is not supported.
 class StaticDataCertificateProvider : public CertificateProviderInterface {
 public:
  StaticDataCertificateProvider(
      const std::string& root_certificate,
      const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs);
  StaticDataCertificateProvider(const std::string& root_certificate)
      : StaticDataCertificateProvider(root_certificate, {}) {}
  StaticDataCertificateProvider(
      const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs)
      : StaticDataCertificateProvider("", identity_key_cert_pairs) {}
  ~StaticDataCertificateProvider();
  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
 private:
  grpc_tls_certificate_provider* c_provider_ = nullptr;
 };
 }  // namespace experimental
 }  // namespace grpc
 #endif  // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
--- a/include/grpcpp/security/tls_credentials_options.h
+++ b/include/grpcpp/security/tls_credentials_options.h
@ -22,151 +22,24 @@
 #include <grpc/grpc_security_constants.h>
 #include <grpc/status.h>
 #include <grpc/support/log.h>
 #include <grpcpp/security/tls_certificate_provider.h>
 #include <grpcpp/support/config.h>
 #include <memory>
 #include <vector>
-typedef struct grpc_tls_credential_reload_arg grpc_tls_credential_reload_arg;
+// TODO(yihuazhang): remove the forward declaration here and include
-typedef struct grpc_tls_credential_reload_config
+// <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
    grpc_tls_credential_reload_config;
 typedef struct grpc_tls_server_authorization_check_arg
    grpc_tls_server_authorization_check_arg;
 typedef struct grpc_tls_server_authorization_check_config
    grpc_tls_server_authorization_check_config;
 typedef struct grpc_tls_credentials_options grpc_tls_credentials_options;
 typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
 namespace grpc {
 namespace experimental {
 /** TLS key materials config, wrapper for grpc_tls_key_materials_config. It is
 * used for experimental purposes for now and subject to change. **/
 class TlsKeyMaterialsConfig {
 public:
  struct PemKeyCertPair {
    std::string private_key;
    std::string cert_chain;
  };
  /** Getters for member fields. **/
  const std::string pem_root_certs() const { return pem_root_certs_; }
  const std::vector<PemKeyCertPair>& pem_key_cert_pair_list() const {
    return pem_key_cert_pair_list_;
  }
  int version() const { return version_; }
  /** Setter for key materials that will be called by the user. Ownership of the
   * arguments will not be transferred. **/
  void set_pem_root_certs(const std::string& pem_root_certs);
  void add_pem_key_cert_pair(const PemKeyCertPair& pem_key_cert_pair);
  void set_key_materials(
      const std::string& pem_root_certs,
      const std::vector<PemKeyCertPair>& pem_key_cert_pair_list);
  void set_version(int version) { version_ = version; };
 private:
  int version_ = 0;
  std::vector<PemKeyCertPair> pem_key_cert_pair_list_;
  std::string pem_root_certs_;
 };
 /** TLS credential reload arguments, wraps grpc_tls_credential_reload_arg. It is
 *  used for experimental purposes for now and it is subject to change.
 *
 *  The credential reload arg contains all the info necessary to schedule/cancel
 *  a credential reload request. The callback function must be called after
 *  finishing the schedule operation. See the description of the
 *  grpc_tls_credential_reload_arg struct in grpc_security.h for more details.
 * **/
 class TlsCredentialReloadArg {
 public:
  /** TlsCredentialReloadArg does not take ownership of the C arg that is passed
   *  to the constructor. One must remember to free any memory allocated to the
   * C arg after using the setter functions below. **/
  TlsCredentialReloadArg(grpc_tls_credential_reload_arg* arg);
  ~TlsCredentialReloadArg();
  /** Getters for member fields. **/
  void* cb_user_data() const;
  bool is_pem_key_cert_pair_list_empty() const;
  grpc_ssl_certificate_config_reload_status status() const;
  std::string error_details() const;
  /** Setters for member fields. Ownership of the arguments will not be
   *  transferred. **/
  void set_cb_user_data(void* cb_user_data);
  void set_pem_root_certs(const std::string& pem_root_certs);
  void add_pem_key_cert_pair(
      const TlsKeyMaterialsConfig::PemKeyCertPair& pem_key_cert_pair);
  void set_key_materials(const std::string& pem_root_certs,
                         std::vector<TlsKeyMaterialsConfig::PemKeyCertPair>
                             pem_key_cert_pair_list);
  void set_key_materials_config(
      const std::shared_ptr<TlsKeyMaterialsConfig>& key_materials_config);
  void set_status(grpc_ssl_certificate_config_reload_status status);
  void set_error_details(const std::string& error_details);
  /** Calls the C arg's callback function. **/
  void OnCredentialReloadDoneCallback();
 private:
  grpc_tls_credential_reload_arg* c_arg_;
 };
 /** An interface that the application derives and uses to instantiate a
 * TlsCredentialReloadConfig instance. Refer to the definition of the
 * grpc_tls_credential_reload_config in grpc_tls_credentials_options.h for more
 * details on the expectations of the member functions of the interface. **/
 struct TlsCredentialReloadInterface {
  virtual ~TlsCredentialReloadInterface() = default;
  /** A callback that invokes the credential reload. **/
  virtual int Schedule(TlsCredentialReloadArg* arg) = 0;
  /** A callback that cancels a credential reload request. **/
  virtual void Cancel(TlsCredentialReloadArg* /* arg */) {}
 };
 /** TLS credential reloag config, wraps grpc_tls_credential_reload_config. It is
 * used for experimental purposes for now and it is subject to change. **/
 class TlsCredentialReloadConfig {
 public:
  TlsCredentialReloadConfig(std::shared_ptr<TlsCredentialReloadInterface>
                                credential_reload_interface);
  ~TlsCredentialReloadConfig();
  int Schedule(TlsCredentialReloadArg* arg) const {
    if (credential_reload_interface_ == nullptr) {
      gpr_log(GPR_ERROR, "credential reload interface is nullptr");
      if (arg != nullptr) {
        arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
        arg->set_error_details(
            "the interface of the credential reload config is nullptr");
      }
      return 1;
    }
    return credential_reload_interface_->Schedule(arg);
  }
  void Cancel(TlsCredentialReloadArg* arg) const {
    if (credential_reload_interface_ == nullptr) {
      gpr_log(GPR_ERROR, "credential reload interface is nullptr");
      if (arg != nullptr) {
        arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
        arg->set_error_details(
            "the interface of the credential reload config is nullptr");
      }
      return;
    }
    credential_reload_interface_->Cancel(arg);
  }
  /** Returns a C struct for the credential reload config. **/
  grpc_tls_credential_reload_config* c_config() const { return c_config_; }
 private:
  grpc_tls_credential_reload_config* c_config_;
  std::shared_ptr<TlsCredentialReloadInterface> credential_reload_interface_;
 };
 /** TLS server authorization check arguments, wraps
 *  grpc_tls_server_authorization_check_arg. It is used for experimental
 *  purposes for now and it is subject to change.
@ -272,71 +145,85 @@ class TlsServerAuthorizationCheckConfig {
      server_authorization_check_interface_;
 };
-/** TLS credentials options, wrapper for grpc_tls_credentials_options. It is
+// Base class of configurable options specified by users to configure their
- * used for experimental purposes for now and it is subject to change. See the
+// certain security features supported in TLS. It is used for experimental
- * description of the grpc_tls_credentials_options struct in grpc_security.h for
+// purposes for now and it is subject to change.
 * more details. **/
 class TlsCredentialsOptions {
 public:
-  // Constructor for client.
+  // Constructor for base class TlsCredentialsOptions.
  //
  // @param certificate_provider the provider which fetches TLS credentials that
  // will be used in the TLS handshake
  explicit TlsCredentialsOptions(
-      grpc_tls_server_verification_option server_verification_option,
+      std::shared_ptr<CertificateProviderInterface> certificate_provider);
-      std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config,
+  // ---- Setters for member fields ----
-      std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config,
+  // Watches the updates of root certificates with name |root_cert_name|.
-      std::shared_ptr<TlsServerAuthorizationCheckConfig>
+  // If used in TLS credentials, it should always be set unless the root
-          server_authorization_check_config);
+  // certificates are not needed(e.g. in the one-side TLS scenario, the server
  // is not required to verify the client).
  void watch_root_certs();
  // Sets the name of root certificates being watched, if |watch_root_certs| is
  // called. If not set, an empty string will be used as the name.
  //
  // @param root_cert_name the name of root certs being set.
  void set_root_cert_name(const std::string& root_cert_name);
  // Watches the updates of identity key-cert pairs with name
  // |identity_cert_name|. If used in TLS credentials, it should always be set
  // unless the identity certificates are not needed(e.g. in the one-side TLS
  // scenario, the client is not required to provide certs).
  void watch_identity_key_cert_pairs();
  // Sets the name of identity key-cert pairs being watched, if
  // |watch_identity_key_cert_pairs| is called. If not set, an empty string will
  // be used as the name.
  //
  // @param identity_cert_name the name of identity key-cert pairs being set.
  void set_identity_cert_name(const std::string& identity_cert_name);
  // ----- Getters for member fields ----
  // Get the internal c options. This function shall be used only internally.
  grpc_tls_credentials_options* c_credentials_options() const {
    return c_credentials_options_;
  }
-  // Constructor for server.
+ private:
-  explicit TlsCredentialsOptions(
+  std::shared_ptr<CertificateProviderInterface> certificate_provider_;
-      grpc_ssl_client_certificate_request_type cert_request_type,
+  grpc_tls_credentials_options* c_credentials_options_ = nullptr;
-      std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config,
+};
      std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config);
-  // This constructor will be deprecated.
+// Contains configurable options on the client side.
-  TlsCredentialsOptions(
+// It is used for experimental purposes for now and it is subject to change.
-      grpc_ssl_client_certificate_request_type cert_request_type,
+class TlsChannelCredentialsOptions final : public TlsCredentialsOptions {
-      grpc_tls_server_verification_option server_verification_option,
+ public:
-      std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config,
+  explicit TlsChannelCredentialsOptions(
-      std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config,
+      std::shared_ptr<CertificateProviderInterface> certificate_provider)
      : TlsCredentialsOptions(std::move(certificate_provider)) {}
  // Sets the option to verify the server.
  // The default is GRPC_TLS_SERVER_VERIFICATION.
  void set_server_verification_option(
      grpc_tls_server_verification_option server_verification_option);
  // Sets the custom authorization config.
  void set_server_authorization_check_config(
      std::shared_ptr<TlsServerAuthorizationCheckConfig>
-          server_authorization_check_config);
+          authorization_check_config);
  ~TlsCredentialsOptions();
-  /** Getters for member fields. **/
+ private:
-  grpc_ssl_client_certificate_request_type cert_request_type() const {
+};
-    return cert_request_type_;
+
-  }
+// Contains configurable options on the server side.
-  grpc_tls_server_verification_option server_verification_option() const {
+// It is used for experimental purposes for now and it is subject to change.
-    return server_verification_option_;
+class TlsServerCredentialsOptions final : public TlsCredentialsOptions {
-  }
+ public:
-  std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config() const {
+  explicit TlsServerCredentialsOptions(
-    return key_materials_config_;
+      std::shared_ptr<CertificateProviderInterface> certificate_provider)
-  }
+      : TlsCredentialsOptions(std::move(certificate_provider)) {}
-  std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config() const {
+
-    return credential_reload_config_;
+  // Sets option to request the certificates from the client.
-  }
+  // The default is GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE.
-  std::shared_ptr<TlsServerAuthorizationCheckConfig>
+  void set_cert_request_type(
-  server_authorization_check_config() const {
+      grpc_ssl_client_certificate_request_type cert_request_type);
    return server_authorization_check_config_;
  }
  grpc_tls_credentials_options* c_credentials_options() const {
    return c_credentials_options_;
  }
 private:
  /** The cert_request_type_ flag is only relevant when the
   * TlsCredentialsOptions are used to instantiate server credentials; the flag
   * goes unused when creating channel credentials, and the user can set it to
   * GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE. **/
  grpc_ssl_client_certificate_request_type cert_request_type_;
  /** The server_verification_option_ flag is only relevant when the
   * TlsCredentialsOptions are used to instantiate client credentials; **/
  grpc_tls_server_verification_option server_verification_option_;
  std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config_;
  std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config_;
  std::shared_ptr<TlsServerAuthorizationCheckConfig>
      server_authorization_check_config_;
  grpc_tls_credentials_options* c_credentials_options_;
 };
 }  // namespace experimental
--- a/package.xml
+++ b/package.xml
@ -931,7 +931,6 @@
    <file baseinstalldir="/" name="src/core/lib/security/authorization/evaluate_args.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/authorization/mock_cel/activation.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/authorization/mock_cel/cel_value.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/certificate_provider.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/context/security_context.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/context/security_context.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/alts/alts_credentials.cc" role="src" />
@ -978,6 +977,8 @@
    <file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/tls_credentials.cc" role="src" />
--- a/src/core/ext/xds/certificate_provider_factory.h
+++ b/src/core/ext/xds/certificate_provider_factory.h
@ -23,7 +23,7 @@
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/json/json.h"
-#include "src/core/lib/security/certificate_provider.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
 namespace grpc_core {
--- a/src/core/ext/xds/certificate_provider_store.h
+++ b/src/core/ext/xds/certificate_provider_store.h
@ -28,7 +28,7 @@
 #include "src/core/ext/xds/certificate_provider_factory.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/gprpp/sync.h"
-#include "src/core/lib/security/certificate_provider.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
 namespace grpc_core {
--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc
+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc
@ -26,7 +26,7 @@
 void grpc_tls_certificate_distributor::SetKeyMaterials(
    const std::string& cert_name, absl::optional<std::string> pem_root_certs,
-    absl::optional<PemKeyCertPairList> pem_key_cert_pairs) {
+    absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs) {
  GPR_ASSERT(pem_root_certs.has_value() || pem_key_cert_pairs.has_value());
  grpc_core::MutexLock lock(&mu_);
  auto& cert_info = certificate_info_map_[cert_name];
@ -38,7 +38,8 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
      const auto watcher_it = watchers_.find(watcher_ptr);
      GPR_ASSERT(watcher_it != watchers_.end());
      GPR_ASSERT(watcher_it->second.root_cert_name.has_value());
-      absl::optional<PemKeyCertPairList> pem_key_cert_pairs_to_report;
+      absl::optional<grpc_core::PemKeyCertPairList>
          pem_key_cert_pairs_to_report;
      if (pem_key_cert_pairs.has_value() &&
          watcher_it->second.identity_cert_name == cert_name) {
        pem_key_cert_pairs_to_report = pem_key_cert_pairs;
@ -188,7 +189,7 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
    watchers_[watcher_ptr] = {std::move(watcher), root_cert_name,
                              identity_cert_name};
    absl::optional<absl::string_view> updated_root_certs;
-    absl::optional<PemKeyCertPairList> updated_identity_pairs;
+    absl::optional<grpc_core::PemKeyCertPairList> updated_identity_pairs;
    grpc_error* root_error = GRPC_ERROR_NONE;
    grpc_error* identity_error = GRPC_ERROR_NONE;
    if (root_cert_name.has_value()) {
@ -319,3 +320,28 @@ void grpc_tls_certificate_distributor::CancelTlsCertificatesWatch(
    }
  }
 };
 /** -- Wrapper APIs declared in grpc_security.h -- **/
 grpc_tls_identity_pairs* grpc_tls_identity_pairs_create() {
  return new grpc_tls_identity_pairs();
 }
 void grpc_tls_identity_pairs_add_pair(grpc_tls_identity_pairs* pairs,
                                      const char* private_key,
                                      const char* cert_chain) {
  GPR_ASSERT(pairs != nullptr);
  GPR_ASSERT(private_key != nullptr);
  GPR_ASSERT(cert_chain != nullptr);
  grpc_ssl_pem_key_cert_pair* ssl_pair =
      static_cast<grpc_ssl_pem_key_cert_pair*>(
          gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair)));
  ssl_pair->private_key = gpr_strdup(private_key);
  ssl_pair->cert_chain = gpr_strdup(cert_chain);
  pairs->pem_key_cert_pairs.emplace_back(ssl_pair);
 }
 void grpc_tls_identity_pairs_destroy(grpc_tls_identity_pairs* pairs) {
  GPR_ASSERT(pairs != nullptr);
  delete pairs;
 }
--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h
+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h
@ -28,12 +28,14 @@
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 struct grpc_tls_identity_pairs {
  grpc_core::PemKeyCertPairList pem_key_cert_pairs;
 };
 // TLS certificate distributor.
 struct grpc_tls_certificate_distributor
    : public grpc_core::RefCounted<grpc_tls_certificate_distributor> {
 public:
  typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
  // Interface for watching TLS certificates update.
  class TlsCertificatesWatcherInterface {
   public:
@ -50,7 +52,7 @@ struct grpc_tls_certificate_distributor
    // pairs.
    virtual void OnCertificatesChanged(
        absl::optional<absl::string_view> root_certs,
-        absl::optional<PemKeyCertPairList> key_cert_pairs) = 0;
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) = 0;
    // Handles an error that occurs while attempting to fetch certificate data.
    // Note that if a watcher sees an error, it simply means the Provider is
@ -80,9 +82,9 @@ struct grpc_tls_certificate_distributor
  // @param cert_name The name of the certificates being updated.
  // @param pem_root_certs The content of root certificates.
  // @param pem_key_cert_pairs The content of identity key-cert pairs.
-  void SetKeyMaterials(const std::string& cert_name,
+  void SetKeyMaterials(
-                       absl::optional<std::string> pem_root_certs,
+      const std::string& cert_name, absl::optional<std::string> pem_root_certs,
-                       absl::optional<PemKeyCertPairList> pem_key_cert_pairs);
+      absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs);
  bool HasRootCerts(const std::string& root_cert_name);
@ -170,7 +172,7 @@ struct grpc_tls_certificate_distributor
    // The contents of the root certificates.
    std::string pem_root_certs;
    // The contents of the identity key-certificate pairs.
-    PemKeyCertPairList pem_key_cert_pairs;
+    grpc_core::PemKeyCertPairList pem_key_cert_pairs;
    // The root cert reloading error propagated by the caller.
    grpc_error* root_cert_error = GRPC_ERROR_NONE;
    // The identity cert reloading error propagated by the caller.
--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
@ -0,0 +1,78 @@
 //
 // Copyright 2020 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 #include <grpc/support/port_platform.h>
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include "src/core/lib/surface/api_trace.h"
 namespace grpc_core {
 StaticDataCertificateProvider::StaticDataCertificateProvider(
    std::string root_certificate,
    grpc_core::PemKeyCertPairList pem_key_cert_pairs)
    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
      root_certificate_(std::move(root_certificate)),
      pem_key_cert_pairs_(std::move(pem_key_cert_pairs)) {
  distributor_->SetWatchStatusCallback([this](std::string cert_name,
                                              bool root_being_watched,
                                              bool identity_being_watched) {
    if (!root_being_watched && !identity_being_watched) return;
    absl::optional<std::string> root_certificate;
    absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs;
    if (root_being_watched) {
      root_certificate = root_certificate_;
    }
    if (identity_being_watched) {
      pem_key_cert_pairs = pem_key_cert_pairs_;
    }
    distributor_->SetKeyMaterials(cert_name, std::move(root_certificate),
                                  std::move(pem_key_cert_pairs));
  });
 }
 }  // namespace grpc_core
 /** -- Wrapper APIs declared in grpc_security.h -- **/
 grpc_tls_certificate_provider* grpc_tls_certificate_provider_static_data_create(
    const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs) {
  GPR_ASSERT(root_certificate != nullptr || pem_key_cert_pairs != nullptr);
  grpc_core::PemKeyCertPairList identity_pairs_core;
  if (pem_key_cert_pairs != nullptr) {
    identity_pairs_core = std::move(pem_key_cert_pairs->pem_key_cert_pairs);
    delete pem_key_cert_pairs;
  }
  std::string root_cert_core;
  if (root_certificate != nullptr) {
    root_cert_core = root_certificate;
  }
  return new grpc_core::StaticDataCertificateProvider(
      std::move(root_cert_core), std::move(identity_pairs_core));
 }
 void grpc_tls_certificate_provider_release(
    grpc_tls_certificate_provider* provider) {
  GRPC_API_TRACE("grpc_tls_certificate_provider_release(provider=%p)", 1,
                 (provider));
  grpc_core::ExecCtx exec_ctx;
  if (provider != nullptr) provider->Unref();
 }
--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
@ -1,5 +1,4 @@
 //
 //
 // Copyright 2020 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
@ -14,17 +13,22 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 //
-#ifndef GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_PROVIDER_H
-#define GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_PROVIDER_H
 #include <grpc/support/port_platform.h>
 #include <grpc/grpc_security.h>
 #include <string.h>
 #include "absl/container/inlined_vector.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/pollset_set.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 // Interface for a grpc_tls_certificate_provider that handles the process to
 // fetch credentials and validation contexts. Implementations are free to rely
@ -44,4 +48,27 @@ struct grpc_tls_certificate_provider
  distributor() const = 0;
 };
-#endif  // GRPC_CORE_LIB_SECURITY_CERTIFICATE_PROVIDER_H
+namespace grpc_core {
 // A basic provider class that will get credentials from string during
 // initialization.
 class StaticDataCertificateProvider final
    : public grpc_tls_certificate_provider {
 public:
  StaticDataCertificateProvider(
      std::string root_certificate,
      grpc_core::PemKeyCertPairList pem_key_cert_pairs);
  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
    return distributor_;
  }
 private:
  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
  std::string root_certificate_;
  grpc_core::PemKeyCertPairList pem_key_cert_pairs_;
 };
 }  // namespace grpc_core
 #endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_PROVIDER_H
--- a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
+++ b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
@ -27,49 +27,7 @@
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
-/** -- gRPC TLS key materials config API implementation. -- **/
+#include "src/core/lib/surface/api_trace.h"
 void grpc_tls_key_materials_config::set_key_materials(
    const char* pem_root_certs,
    const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
    size_t num_key_cert_pairs) {
  this->set_pem_root_certs(pem_root_certs);
  grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list;
  for (size_t i = 0; i < num_key_cert_pairs; i++) {
    auto current_pair = static_cast<grpc_ssl_pem_key_cert_pair*>(
        gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair)));
    current_pair->cert_chain = gpr_strdup(pem_key_cert_pairs[i]->cert_chain);
    current_pair->private_key = gpr_strdup(pem_key_cert_pairs[i]->private_key);
    cert_pair_list.emplace_back(grpc_core::PemKeyCertPair(current_pair));
  }
  pem_key_cert_pair_list_ = std::move(cert_pair_list);
 }
 void grpc_tls_key_materials_config::set_key_materials(
    const char* pem_root_certs,
    const PemKeyCertPairList& pem_key_cert_pair_list) {
  this->set_pem_root_certs(pem_root_certs);
  grpc_tls_key_materials_config::PemKeyCertPairList dup_list(
      pem_key_cert_pair_list);
  pem_key_cert_pair_list_ = std::move(dup_list);
 }
 /** -- gRPC TLS credential reload config API implementation. -- **/
 grpc_tls_credential_reload_config::grpc_tls_credential_reload_config(
    const void* config_user_data,
    int (*schedule)(void* config_user_data,
                    grpc_tls_credential_reload_arg* arg),
    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
    void (*destruct)(void* config_user_data))
    : config_user_data_(const_cast<void*>(config_user_data)),
      schedule_(schedule),
      cancel_(cancel),
      destruct_(destruct) {}
 grpc_tls_credential_reload_config::~grpc_tls_credential_reload_config() {
  if (destruct_ != nullptr) {
    destruct_((void*)config_user_data_);
  }
 }
 /** -- gRPC TLS server authorization check API implementation. -- **/
 grpc_tls_server_authorization_check_config::
@ -92,138 +50,99 @@ grpc_tls_server_authorization_check_config::
  }
 }
 int grpc_tls_server_authorization_check_config::Schedule(
    grpc_tls_server_authorization_check_arg* arg) const {
  if (schedule_ == nullptr) {
    gpr_log(GPR_ERROR, "schedule API is nullptr");
    if (arg != nullptr) {
      arg->status = GRPC_STATUS_NOT_FOUND;
      arg->error_details->set_error_details(
          "schedule API in server authorization check config is nullptr");
    }
    return 1;
  }
  if (arg != nullptr && context_ != nullptr) {
    arg->config = const_cast<grpc_tls_server_authorization_check_config*>(this);
  }
  return schedule_(config_user_data_, arg);
 }
 void grpc_tls_server_authorization_check_config::Cancel(
    grpc_tls_server_authorization_check_arg* arg) const {
  if (cancel_ == nullptr) {
    gpr_log(GPR_ERROR, "cancel API is nullptr.");
    if (arg != nullptr) {
      arg->status = GRPC_STATUS_NOT_FOUND;
      arg->error_details->set_error_details(
          "schedule API in server authorization check config is nullptr");
    }
    return;
  }
  if (arg != nullptr) {
    arg->config = const_cast<grpc_tls_server_authorization_check_config*>(this);
  }
  cancel_(config_user_data_, arg);
 }
 /** -- Wrapper APIs declared in grpc_security.h -- **/
 grpc_tls_credentials_options* grpc_tls_credentials_options_create() {
  return new grpc_tls_credentials_options();
 }
-int grpc_tls_credentials_options_set_cert_request_type(
+void grpc_tls_credentials_options_set_cert_request_type(
    grpc_tls_credentials_options* options,
    grpc_ssl_client_certificate_request_type type) {
-  if (options == nullptr) {
+  GPR_ASSERT(options != nullptr);
    gpr_log(GPR_ERROR,
            "Invalid nullptr arguments to "
            "grpc_tls_credentials_options_set_cert_request_type()");
    return 0;
  }
  options->set_cert_request_type(type);
  return 1;
 }
-int grpc_tls_credentials_options_set_server_verification_option(
+void grpc_tls_credentials_options_set_server_verification_option(
    grpc_tls_credentials_options* options,
    grpc_tls_server_verification_option server_verification_option) {
-  if (options == nullptr) {
+  GPR_ASSERT(options != nullptr);
    gpr_log(GPR_ERROR,
            "Invalid nullptr arguments to "
            "grpc_tls_credentials_options_set_server_verification_option()");
    return 0;
  }
  if (server_verification_option != GRPC_TLS_SERVER_VERIFICATION &&
      options->server_authorization_check_config() == nullptr) {
    gpr_log(GPR_ERROR,
            "server_authorization_check_config needs to be specified when"
            "server_verification_option is not GRPC_TLS_SERVER_VERIFICATION");
    return 0;
  }
  options->set_server_verification_option(server_verification_option);
  return 1;
 }
 int grpc_tls_credentials_options_set_key_materials_config(
    grpc_tls_credentials_options* options,
    grpc_tls_key_materials_config* config) {
  if (options == nullptr || config == nullptr) {
    gpr_log(GPR_ERROR,
            "Invalid nullptr arguments to "
            "grpc_tls_credentials_options_set_key_materials_config()");
    return 0;
  }
  options->set_key_materials_config(config->Ref());
  return 1;
 }
-int grpc_tls_credentials_options_set_credential_reload_config(
+void grpc_tls_credentials_options_set_certificate_provider(
    grpc_tls_credentials_options* options,
-    grpc_tls_credential_reload_config* config) {
+    grpc_tls_certificate_provider* provider) {
-  if (options == nullptr || config == nullptr) {
+  GPR_ASSERT(options != nullptr);
-    gpr_log(GPR_ERROR,
+  GPR_ASSERT(provider != nullptr);
-            "Invalid nullptr arguments to "
+  options->set_certificate_provider(
-            "grpc_tls_credentials_options_set_credential_reload_config()");
+      provider->Ref(DEBUG_LOCATION, "set_certificate_provider"));
    return 0;
  }
  options->set_credential_reload_config(config->Ref());
  return 1;
 }
-int grpc_tls_credentials_options_set_server_authorization_check_config(
+void grpc_tls_credentials_options_watch_root_certs(
-    grpc_tls_credentials_options* options,
+    grpc_tls_credentials_options* options) {
-    grpc_tls_server_authorization_check_config* config) {
+  GPR_ASSERT(options != nullptr);
-  if (options == nullptr || config == nullptr) {
+  options->set_watch_root_cert(true);
    gpr_log(
        GPR_ERROR,
        "Invalid nullptr arguments to "
        "grpc_tls_credentials_options_set_server_authorization_check_config()");
    return 0;
  }
  options->set_server_authorization_check_config(config->Ref());
  return 1;
 }
-grpc_tls_key_materials_config* grpc_tls_key_materials_config_create() {
+void grpc_tls_credentials_options_set_root_cert_name(
-  return new grpc_tls_key_materials_config();
+    grpc_tls_credentials_options* options, const char* root_cert_name) {
  GPR_ASSERT(options != nullptr);
  options->set_root_cert_name(root_cert_name);
 }
-int grpc_tls_key_materials_config_set_key_materials(
+void grpc_tls_credentials_options_watch_identity_key_cert_pairs(
-    grpc_tls_key_materials_config* config, const char* root_certs,
+    grpc_tls_credentials_options* options) {
-    const grpc_ssl_pem_key_cert_pair** key_cert_pairs, size_t num) {
+  GPR_ASSERT(options != nullptr);
-  if (config == nullptr || key_cert_pairs == nullptr || num == 0) {
+  options->set_watch_identity_pair(true);
    gpr_log(GPR_ERROR,
            "Invalid arguments to "
            "grpc_tls_key_materials_config_set_key_materials()");
    return 0;
  }
  config->set_key_materials(root_certs, key_cert_pairs, num);
  return 1;
 }
 int grpc_tls_key_materials_config_set_version(
    grpc_tls_key_materials_config* config, int version) {
  if (config == nullptr) {
    gpr_log(GPR_ERROR,
            "Invalid arguments to "
            "grpc_tls_key_materials_config_set_version()");
    return 0;
  }
  config->set_version(version);
  return 1;
 }
-int grpc_tls_key_materials_config_get_version(
+void grpc_tls_credentials_options_set_identity_cert_name(
-    grpc_tls_key_materials_config* config) {
+    grpc_tls_credentials_options* options, const char* identity_cert_name) {
-  if (config == nullptr) {
+  GPR_ASSERT(options != nullptr);
-    gpr_log(GPR_ERROR,
+  options->set_identity_cert_name(identity_cert_name);
            "Invalid arguments to "
            "grpc_tls_key_materials_config_get_version()");
    return -1;
  }
  return config->version();
 }
-grpc_tls_credential_reload_config* grpc_tls_credential_reload_config_create(
+void grpc_tls_credentials_options_set_server_authorization_check_config(
-    const void* config_user_data,
+    grpc_tls_credentials_options* options,
-    int (*schedule)(void* config_user_data,
+    grpc_tls_server_authorization_check_config* config) {
-                    grpc_tls_credential_reload_arg* arg),
+  GPR_ASSERT(options != nullptr);
-    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+  GPR_ASSERT(config != nullptr);
-    void (*destruct)(void* config_user_data)) {
+  options->set_server_authorization_check_config(config->Ref());
  if (schedule == nullptr) {
    gpr_log(
        GPR_ERROR,
        "Schedule API is nullptr in creating TLS credential reload config.");
    return nullptr;
  }
  return new grpc_tls_credential_reload_config(config_user_data, schedule,
                                               cancel, destruct);
 }
 grpc_tls_server_authorization_check_config*
@ -243,3 +162,12 @@ grpc_tls_server_authorization_check_config_create(
  return new grpc_tls_server_authorization_check_config(
      config_user_data, schedule, cancel, destruct);
 }
 void grpc_tls_server_authorization_check_config_release(
    grpc_tls_server_authorization_check_config* config) {
  GRPC_API_TRACE(
      "grpc_tls_server_authorization_check_config_release(config=%p)", 1,
      (config));
  grpc_core::ExecCtx exec_ctx;
  if (config != nullptr) config->Unref();
 }
--- a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
+++ b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
@ -26,6 +26,8 @@
 #include "absl/container/inlined_vector.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 struct grpc_tls_error_details
@ -41,126 +43,6 @@ struct grpc_tls_error_details
  std::string error_details_;
 };
 /** TLS key materials config. **/
 struct grpc_tls_key_materials_config
    : public grpc_core::RefCounted<grpc_tls_key_materials_config> {
 public:
  typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
  /** Getters for member fields. **/
  const char* pem_root_certs() const { return pem_root_certs_.get(); }
  const PemKeyCertPairList& pem_key_cert_pair_list() const {
    return pem_key_cert_pair_list_;
  }
  int version() const { return version_; }
  /** Setters for member fields. **/
  // TODO(ZhenLian): Remove this function
  void set_pem_root_certs(grpc_core::UniquePtr<char> pem_root_certs) {
    pem_root_certs_ = std::move(pem_root_certs);
  }
  // The ownerships of |pem_root_certs| remain with the caller.
  void set_pem_root_certs(const char* pem_root_certs) {
    // make a copy of pem_root_certs.
    grpc_core::UniquePtr<char> pem_root_ptr(gpr_strdup(pem_root_certs));
    pem_root_certs_ = std::move(pem_root_ptr);
  }
  void add_pem_key_cert_pair(grpc_core::PemKeyCertPair pem_key_cert_pair) {
    pem_key_cert_pair_list_.push_back(std::move(pem_key_cert_pair));
  }
  // The ownerships of |pem_root_certs| and |pem_key_cert_pairs| remain with the
  // caller.
  void set_key_materials(const char* pem_root_certs,
                         const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
                         size_t num_key_cert_pairs);
  // The ownerships of |pem_root_certs| and |pem_key_cert_pair_list| remain with
  // the caller.
  void set_key_materials(const char* pem_root_certs,
                         const PemKeyCertPairList& pem_key_cert_pair_list);
  void set_version(int version) { version_ = version; }
 private:
  int version_ = 0;
  PemKeyCertPairList pem_key_cert_pair_list_;
  grpc_core::UniquePtr<char> pem_root_certs_;
 };
 /** TLS credential reload config. **/
 struct grpc_tls_credential_reload_config
    : public grpc_core::RefCounted<grpc_tls_credential_reload_config> {
 public:
  grpc_tls_credential_reload_config(
      const void* config_user_data,
      int (*schedule)(void* config_user_data,
                      grpc_tls_credential_reload_arg* arg),
      void (*cancel)(void* config_user_data,
                     grpc_tls_credential_reload_arg* arg),
      void (*destruct)(void* config_user_data));
  ~grpc_tls_credential_reload_config() override;
  void* context() const { return context_; }
  void set_context(void* context) { context_ = context; }
  int Schedule(grpc_tls_credential_reload_arg* arg) const {
    if (schedule_ == nullptr) {
      gpr_log(GPR_ERROR, "schedule API is nullptr");
      if (arg != nullptr) {
        arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL;
        arg->error_details->set_error_details(
            "schedule API in credential reload config is nullptr");
      }
      return 1;
    }
    if (arg != nullptr) {
      arg->config = const_cast<grpc_tls_credential_reload_config*>(this);
    }
    return schedule_(config_user_data_, arg);
  }
  void Cancel(grpc_tls_credential_reload_arg* arg) const {
    if (cancel_ == nullptr) {
      gpr_log(GPR_ERROR, "cancel API is nullptr.");
      if (arg != nullptr) {
        arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL;
        arg->error_details->set_error_details(
            "cancel API in credential reload config is nullptr");
      }
      return;
    }
    if (arg != nullptr) {
      arg->config = const_cast<grpc_tls_credential_reload_config*>(this);
    }
    cancel_(config_user_data_, arg);
  }
 private:
  /** This is a pointer to the wrapped language implementation of
   * grpc_tls_credential_reload_config. It is necessary to implement the C
   * schedule and cancel functions, given the schedule or cancel function in a
   * wrapped language. **/
  void* context_ = nullptr;
  /** config-specific, read-only user data that works for all channels created
     with a credential using the config. */
  void* config_user_data_;
  /** callback function for invoking credential reload API. The implementation
     of this method has to be non-blocking, but can be performed synchronously
     or asynchronously.
     If processing occurs synchronously, it populates \a arg->key_materials, \a
     arg->status, and \a arg->error_details and returns zero.
     If processing occurs asynchronously, it returns a non-zero value.
     Application then invokes \a arg->cb when processing is completed. Note that
     \a arg->cb cannot be invoked before \a schedule returns.
  */
  int (*schedule_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
  /** callback function for cancelling a credential reload request scheduled via
     an asynchronous \a schedule. \a arg is used to pinpoint an exact reloading
     request to be cancelled, and the operation may not have any effect if the
     request has already been processed. */
  void (*cancel_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
  /** callback function for cleaning up any data associated with credential
     reload config. */
  void (*destruct_)(void* config_user_data);
 };
 /** TLS server authorization check config. **/
 struct grpc_tls_server_authorization_check_config
    : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> {
@ -175,40 +57,12 @@ struct grpc_tls_server_authorization_check_config
  ~grpc_tls_server_authorization_check_config() override;
  void* context() const { return context_; }
  void set_context(void* context) { context_ = context; }
-  int Schedule(grpc_tls_server_authorization_check_arg* arg) const {
+  int Schedule(grpc_tls_server_authorization_check_arg* arg) const;
-    if (schedule_ == nullptr) {
+
-      gpr_log(GPR_ERROR, "schedule API is nullptr");
+  void Cancel(grpc_tls_server_authorization_check_arg* arg) const;
      if (arg != nullptr) {
        arg->status = GRPC_STATUS_NOT_FOUND;
        arg->error_details->set_error_details(
            "schedule API in server authorization check config is nullptr");
      }
      return 1;
    }
    if (arg != nullptr && context_ != nullptr) {
      arg->config =
          const_cast<grpc_tls_server_authorization_check_config*>(this);
    }
    return schedule_(config_user_data_, arg);
  }
  void Cancel(grpc_tls_server_authorization_check_arg* arg) const {
    if (cancel_ == nullptr) {
      gpr_log(GPR_ERROR, "cancel API is nullptr.");
      if (arg != nullptr) {
        arg->status = GRPC_STATUS_NOT_FOUND;
        arg->error_details->set_error_details(
            "schedule API in server authorization check config is nullptr");
      }
      return;
    }
    if (arg != nullptr) {
      arg->config =
          const_cast<grpc_tls_server_authorization_check_config*>(this);
    }
    cancel_(config_user_data_, arg);
  }
 private:
  /** This is a pointer to the wrapped language implementation of
@ -241,23 +95,15 @@ struct grpc_tls_server_authorization_check_config
  void (*destruct_)(void* config_user_data);
 };
-/* TLS credentials options. */
+// Contains configurable options specified by callers to configure their certain
 // security features supported in TLS.
 // TODO(ZhenLian): consider making this not ref-counted.
 struct grpc_tls_credentials_options
    : public grpc_core::RefCounted<grpc_tls_credentials_options> {
 public:
-  ~grpc_tls_credentials_options() override {
+  ~grpc_tls_credentials_options() override = default;
    if (key_materials_config_.get() != nullptr) {
      key_materials_config_->Unref();
    }
    if (credential_reload_config_.get() != nullptr) {
      credential_reload_config_->Unref();
    }
    if (server_authorization_check_config_.get() != nullptr) {
      server_authorization_check_config_->Unref();
    }
  }
-  /* Getters for member fields. */
+  // Getters for member fields.
  grpc_ssl_client_certificate_request_type cert_request_type() const {
    return cert_request_type_;
  }
@ -266,18 +112,26 @@ struct grpc_tls_credentials_options
  }
  grpc_tls_version min_tls_version() const { return min_tls_version_; }
  grpc_tls_version max_tls_version() const { return max_tls_version_; }
  grpc_tls_key_materials_config* key_materials_config() const {
    return key_materials_config_.get();
  }
  grpc_tls_credential_reload_config* credential_reload_config() const {
    return credential_reload_config_.get();
  }
  grpc_tls_server_authorization_check_config*
  server_authorization_check_config() const {
    return server_authorization_check_config_.get();
  }
-
+  // This will be used by the security connector to get the correct distributor.
-  /* Setters for member fields. */
+  // It can be applied to both the Tls*Creds and the Xds*Creds cases.
  // For Tls*Creds case, we will get the distributor from the provider;
  // For Xds*Creds case, there will be a level of indirection between the
  // provider and the distributor, so we will get the distributor directly.
  grpc_tls_certificate_distributor* certificate_distributor() {
    if (provider_ != nullptr) return provider_->distributor().get();
    if (distributor_ != nullptr) return distributor_.get();
    return nullptr;
  }
  bool watch_root_cert() { return watch_root_cert_; }
  const std::string& root_cert_name() { return root_cert_name_; }
  bool watch_identity_pair() { return watch_identity_pair_; }
  const std::string& identity_cert_name() { return identity_cert_name_; }
  // Setters for member fields.
  void set_cert_request_type(
      const grpc_ssl_client_certificate_request_type type) {
    cert_request_type_ = type;
@ -292,32 +146,61 @@ struct grpc_tls_credentials_options
  void set_max_tls_version(grpc_tls_version max_tls_version) {
    max_tls_version_ = max_tls_version;
  }
  void set_key_materials_config(
      grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
    key_materials_config_ = std::move(config);
  }
  void set_credential_reload_config(
      grpc_core::RefCountedPtr<grpc_tls_credential_reload_config> config) {
    credential_reload_config_ = std::move(config);
  }
  void set_server_authorization_check_config(
      grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
          config) {
    server_authorization_check_config_ = std::move(config);
  }
  // Sets the provider in the options.
  // This should only be used by C-core API for Tls*Creds case.
  void set_certificate_provider(
      grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) {
    provider_ = std::move(provider);
  }
  // Sets the distributor in the options.
  // This should only be used by the xDS code for Xds*Creds case.
  void set_certificate_distributor(
      grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor) {
    distributor_ = std::move(distributor);
  }
  // If need to watch the updates of root certificates with name
  // |root_cert_name|. The default value is false. If used in tls_credentials,
  // it should always be set to true unless the root certificates are not
  // needed.
  void set_watch_root_cert(bool watch) { watch_root_cert_ = watch; }
  // Sets the name of root certificates being watched, if |set_watch_root_cert|
  // is called. If not set, an empty string will be used as the name.
  void set_root_cert_name(std::string root_cert_name) {
    root_cert_name_ = std::move(root_cert_name);
  }
  // If need to watch the updates of identity certificates with name
  // |identity_cert_name|.
  // The default value is false.
  // If used in tls_credentials, it should always be set to true
  // unless the identity key-cert pairs are not needed.
  void set_watch_identity_pair(bool watch) { watch_identity_pair_ = watch; }
  // Sets the name of identity key-cert pairs being watched, if
  // |set_watch_identity_pair| is called. If not set, an empty string will
  // be used as the name.
  void set_identity_cert_name(std::string identity_cert_name) {
    identity_cert_name_ = std::move(identity_cert_name);
  }
 private:
-  grpc_ssl_client_certificate_request_type cert_request_type_;
+  grpc_ssl_client_certificate_request_type cert_request_type_ =
      GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
  grpc_tls_server_verification_option server_verification_option_ =
      GRPC_TLS_SERVER_VERIFICATION;
  grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
  grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
  grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
      credential_reload_config_;
  grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
      server_authorization_check_config_;
  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_;
  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
  bool watch_root_cert_ = false;
  std::string root_cert_name_;
  bool watch_identity_pair_ = false;
  std::string identity_cert_name_;
 };
-#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H \
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
        */
--- a/src/core/lib/security/credentials/tls/tls_credentials.cc
+++ b/src/core/lib/security/credentials/tls/tls_credentials.cc
@ -40,18 +40,18 @@ bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
    gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
    return false;
  }
-  if (options->key_materials_config() == nullptr &&
+  // TODO(ZhenLian): remove this when it is also supported on server side.
      options->credential_reload_config() == nullptr) {
    gpr_log(GPR_ERROR,
            "TLS credentials options must specify either key materials or "
            "credential reload config.");
    return false;
  }
  if (!is_client && options->server_authorization_check_config() != nullptr) {
    gpr_log(GPR_INFO,
            "Server's credentials options should not contain server "
            "authorization check config.");
  }
  if (options->server_verification_option() != GRPC_TLS_SERVER_VERIFICATION &&
      options->server_authorization_check_config() == nullptr) {
    gpr_log(GPR_ERROR,
            "Should provider custom verifications if bypassing default ones.");
    return false;
  }
  return true;
 }
@ -85,14 +85,16 @@ TlsCredentials::create_security_connector(
  }
  grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
      grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
-          this->Ref(), std::move(call_creds), target_name,
+          this->Ref(), options_, std::move(call_creds), target_name,
          overridden_target_name, ssl_session_cache);
  if (sc == nullptr) {
    return nullptr;
  }
-  grpc_arg new_arg = grpc_channel_arg_string_create(
+  if (args != nullptr) {
-      (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
+    grpc_arg new_arg = grpc_channel_arg_string_create(
-  *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
+        (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
    *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
  }
  return sc;
 }
@ -106,9 +108,11 @@ TlsServerCredentials::~TlsServerCredentials() {}
 grpc_core::RefCountedPtr<grpc_server_security_connector>
 TlsServerCredentials::create_security_connector() {
  return grpc_core::TlsServerSecurityConnector::
-      CreateTlsServerSecurityConnector(this->Ref());
+      CreateTlsServerSecurityConnector(this->Ref(), options_);
 }
 /** -- Wrapper APIs declared in grpc_security.h -- **/
 grpc_channel_credentials* grpc_tls_credentials_create(
    grpc_tls_credentials_options* options) {
  if (!CredentialOptionSanityCheck(options, true /* is_client */)) {
--- a/src/core/lib/security/credentials/tls/tls_credentials.h
+++ b/src/core/lib/security/credentials/tls/tls_credentials.h
@ -38,7 +38,7 @@ class TlsCredentials final : public grpc_channel_credentials {
      const char* target_name, const grpc_channel_args* args,
      grpc_channel_args** new_args) override;
-  const grpc_tls_credentials_options& options() const { return *options_; }
+  grpc_tls_credentials_options* options() const { return options_.get(); }
 private:
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
@ -53,7 +53,7 @@ class TlsServerCredentials final : public grpc_server_credentials {
  grpc_core::RefCountedPtr<grpc_server_security_connector>
  create_security_connector() override;
-  const grpc_tls_credentials_options& options() const { return *options_; }
+  grpc_tls_credentials_options* options() const { return options_.get(); }
 private:
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
--- a/src/core/lib/security/security_connector/ssl_utils.h
+++ b/src/core/lib/security/security_connector/ssl_utils.h
@ -187,6 +187,8 @@ class PemKeyCertPair {
  grpc_core::UniquePtr<char> cert_chain_;
 };
 typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
 }  // namespace grpc_core
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \
--- a/src/core/lib/security/security_connector/tls/tls_security_connector.cc
+++ b/src/core/lib/security/security_connector/tls/tls_security_connector.cc
@ -46,7 +46,7 @@ namespace grpc_core {
 namespace {
 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
-    const grpc_tls_key_materials_config::PemKeyCertPairList& cert_pair_list) {
+    const grpc_core::PemKeyCertPairList& cert_pair_list) {
  tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
  size_t num_key_cert_pairs = cert_pair_list.size();
  if (num_key_cert_pairs > 0) {
@ -65,127 +65,120 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
 }  // namespace
-grpc_status_code TlsFetchKeyMaterials(
+// -------------------channel security connector-------------------
-    const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
-        key_materials_config,
+TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
-    const grpc_tls_credentials_options& options, bool is_server,
+    grpc_core::RefCountedPtr<grpc_channel_credentials> ch_creds,
-    grpc_ssl_certificate_config_reload_status* status) {
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
-  GPR_ASSERT(key_materials_config != nullptr);
+    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
-  GPR_ASSERT(status != nullptr);
+    const char* target_name, const char* overridden_target_name,
-  bool is_key_materials_empty =
+    tsi_ssl_session_cache* ssl_session_cache) {
-      key_materials_config->pem_key_cert_pair_list().empty();
+  if (ch_creds == nullptr) {
  grpc_tls_credential_reload_config* credential_reload_config =
      options.credential_reload_config();
  /** If there are no key materials and no credential reload config and the
   *  caller is a server, then return an error. We do not require that a client
   *  always provision certificates. **/
  if (credential_reload_config == nullptr && is_key_materials_empty &&
      is_server) {
    gpr_log(GPR_ERROR,
-            "Either credential reload config or key materials should be "
+            "channel_creds is nullptr in "
-            "provisioned.");
+            "TlsChannelSecurityConnectorCreate()");
-    return GRPC_STATUS_FAILED_PRECONDITION;
+    return nullptr;
  }
  grpc_status_code reload_status = GRPC_STATUS_OK;
  /** Use |credential_reload_config| to update |key_materials_config|. **/
  if (credential_reload_config != nullptr) {
    grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
    arg->key_materials_config = key_materials_config.get();
    arg->error_details = new grpc_tls_error_details();
    int result = credential_reload_config->Schedule(arg);
    if (result) {
      /** Credential reloading is performed async. This is not yet supported.
       * **/
      gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
      *status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
      reload_status =
          is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
    } else {
      /** Credential reloading is performed sync. **/
      *status = arg->status;
      if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
        /* Key materials is not empty. */
        gpr_log(GPR_DEBUG, "Credential does not change after reload.");
      } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
        gpr_log(GPR_ERROR, "Credential reload failed with an error:");
        if (arg->error_details != nullptr) {
          gpr_log(GPR_ERROR, "%s", arg->error_details->error_details().c_str());
        }
        reload_status =
            is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
      }
    }
    delete arg->error_details;
    /** If the credential reload config was constructed via a wrapped language,
     *  then |arg->context| and |arg->destroy_context| will not be nullptr. In
     *  this case, we must destroy |arg->context|, which stores the wrapped
     *  language-version of the credential reload arg. **/
    if (arg->destroy_context != nullptr) {
      arg->destroy_context(arg->context);
    }
    delete arg;
  }
-  return reload_status;
+  if (options == nullptr) {
-}
+    gpr_log(GPR_ERROR,
-
+            "options is nullptr in "
-grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {
+            "TlsChannelSecurityConnectorCreate()");
-  /* Check the peer name if specified. */
+    return nullptr;
  if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
            .c_str());
  }
-  return GRPC_ERROR_NONE;
+  if (target_name == nullptr) {
    gpr_log(GPR_ERROR,
            "target_name is nullptr in "
            "TlsChannelSecurityConnectorCreate()");
    return nullptr;
  }
  grpc_core::RefCountedPtr<TlsChannelSecurityConnector> c =
      grpc_core::MakeRefCounted<TlsChannelSecurityConnector>(
          std::move(ch_creds), std::move(options),
          std::move(request_metadata_creds), target_name,
          overridden_target_name, ssl_session_cache);
  return c;
 }
 TlsChannelSecurityConnector::TlsChannelSecurityConnector(
-    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+    grpc_core::RefCountedPtr<grpc_channel_credentials> ch_creds,
    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
-    const char* target_name, const char* overridden_target_name)
+    const char* target_name, const char* overridden_target_name,
-    : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
+    tsi_ssl_session_cache* ssl_session_cache)
-                                      std::move(channel_creds),
+    : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME, std::move(ch_creds),
                                      std::move(request_metadata_creds)),
      options_(std::move(options)),
      overridden_target_name_(
-          overridden_target_name == nullptr ? "" : overridden_target_name) {
+          overridden_target_name == nullptr ? "" : overridden_target_name),
-  key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
+      ssl_session_cache_(ssl_session_cache) {
  if (ssl_session_cache_ != nullptr) {
    tsi_ssl_session_cache_ref(ssl_session_cache_);
  }
  check_arg_ = ServerAuthorizationCheckArgCreate(this);
  absl::string_view host;
  absl::string_view port;
  grpc_core::SplitHostPort(target_name, &host, &port);
  target_name_ = std::string(host);
  // Create a watcher.
  auto watcher_ptr = absl::make_unique<TlsChannelCertificateWatcher>(this);
  certificate_watcher_ = watcher_ptr.get();
  // Register the watcher with the distributor.
  grpc_tls_certificate_distributor* distributor =
      options_->certificate_distributor();
  absl::optional<std::string> watched_root_cert_name;
  if (options_->watch_root_cert()) {
    watched_root_cert_name = options_->root_cert_name();
  }
  absl::optional<std::string> watched_identity_cert_name;
  if (options_->watch_identity_pair()) {
    watched_identity_cert_name = options_->identity_cert_name();
  }
  distributor->WatchTlsCertificates(std::move(watcher_ptr),
                                    watched_root_cert_name,
                                    watched_identity_cert_name);
 }
 TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
  if (ssl_session_cache_ != nullptr) {
    tsi_ssl_session_cache_unref(ssl_session_cache_);
  }
  // Cancel all the watchers.
  grpc_tls_certificate_distributor* distributor =
      options_->certificate_distributor();
  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
  if (client_handshaker_factory_ != nullptr) {
    tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
  }
-  if (key_materials_config_.get() != nullptr) {
+  if (check_arg_ != nullptr) {
-    key_materials_config_->Unref();
+    ServerAuthorizationCheckArgDestroy(check_arg_);
  }
  ServerAuthorizationCheckArgDestroy(check_arg_);
 }
 void TlsChannelSecurityConnector::add_handshakers(
    const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
    grpc_core::HandshakeManager* handshake_mgr) {
-  if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
+  grpc_core::MutexLock lock(&mu_);
-    gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
+  if (client_handshaker_factory_ != nullptr) {
-    return;
+    // Instantiate TSI handshaker.
-  }
+    tsi_handshaker* tsi_hs = nullptr;
-  // Instantiate TSI handshaker.
+    tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
-  tsi_handshaker* tsi_hs = nullptr;
+        client_handshaker_factory_,
-  tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
+        overridden_target_name_.empty() ? target_name_.c_str()
-      client_handshaker_factory_,
+                                        : overridden_target_name_.c_str(),
-      overridden_target_name_.empty() ? target_name_.c_str()
+        &tsi_hs);
-                                      : overridden_target_name_.c_str(),
+    if (result != TSI_OK) {
-      &tsi_hs);
+      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-  if (result != TSI_OK) {
+              tsi_result_to_string(result));
-    gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+      return;
-            tsi_result_to_string(result));
+    }
    // Create handshakers.
    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
    return;
  }
-  // Create handshakers.
+  // TODO(ZhenLian): Implement the logic(delegation to
-  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
+  // BlockOnInitialCredentialHandshaker) when certificates are not ready.
  gpr_log(GPR_ERROR, "%s not supported yet.",
          "Client BlockOnInitialCredentialHandshaker");
 }
 void TlsChannelSecurityConnector::check_peer(
@ -203,12 +196,9 @@ void TlsChannelSecurityConnector::check_peer(
  }
  *auth_context =
      grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
-  const TlsCredentials* creds =
+  if (options_->server_verification_option() == GRPC_TLS_SERVER_VERIFICATION) {
      static_cast<const TlsCredentials*>(channel_creds());
  if (creds->options().server_verification_option() ==
      GRPC_TLS_SERVER_VERIFICATION) {
    /* Do the default host name check if specifying the target name. */
-    error = TlsCheckHostName(target_name, &peer);
+    error = internal::TlsCheckHostName(target_name, &peer);
    if (error != GRPC_ERROR_NONE) {
      grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
      tsi_peer_destruct(&peer);
@ -217,7 +207,7 @@ void TlsChannelSecurityConnector::check_peer(
  }
  /* Do the custom server authorization check, if specified by the user. */
  const grpc_tls_server_authorization_check_config* config =
-      creds->options().server_authorization_check_config();
+      options_->server_authorization_check_config();
  /* If server authorization config is not null, use it to perform
   * server authorization check. */
  if (config != nullptr) {
@ -289,105 +279,86 @@ void TlsChannelSecurityConnector::cancel_check_call_host(
  GRPC_ERROR_UNREF(error);
 }
-grpc_core::RefCountedPtr<grpc_channel_security_connector>
+void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
-TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
+    OnCertificatesChanged(
-    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+        absl::optional<absl::string_view> root_certs,
-    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) {
-    const char* target_name, const char* overridden_target_name,
+  GPR_ASSERT(security_connector_ != nullptr);
-    tsi_ssl_session_cache* ssl_session_cache) {
+  grpc_core::MutexLock lock(&security_connector_->mu_);
-  if (channel_creds == nullptr) {
+  if (root_certs.has_value()) {
-    gpr_log(GPR_ERROR,
+    security_connector_->pem_root_certs_ = root_certs;
-            "channel_creds is nullptr in "
+  }
-            "TlsChannelSecurityConnectorCreate()");
+  if (key_cert_pairs.has_value()) {
-    return nullptr;
+    security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
  }
  bool root_being_watched = security_connector_->options_->watch_root_cert();
  bool root_has_value = security_connector_->pem_root_certs_.has_value();
  bool identity_being_watched =
      security_connector_->options_->watch_identity_pair();
  bool identity_has_value =
      security_connector_->pem_key_cert_pair_list_.has_value();
  if ((root_being_watched && root_has_value && identity_being_watched &&
       identity_has_value) ||
      (root_being_watched && root_has_value && !identity_being_watched) ||
      (!root_being_watched && identity_being_watched && identity_has_value)) {
    if (security_connector_->UpdateHandshakerFactoryLocked() !=
        GRPC_SECURITY_OK) {
      gpr_log(GPR_ERROR, "Update handshaker factory failed.");
    }
  }
-  if (target_name == nullptr) {
+}
 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
 // BlockOnInitialCredentialHandshaker is implemented.
 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnError(
    grpc_error* root_cert_error, grpc_error* identity_cert_error) {
  if (root_cert_error != GRPC_ERROR_NONE) {
    gpr_log(GPR_ERROR,
-            "target_name is nullptr in "
+            "TlsChannelCertificateWatcher getting root_cert_error: %s",
-            "TlsChannelSecurityConnectorCreate()");
+            grpc_error_string(root_cert_error));
    return nullptr;
  }
-  grpc_core::RefCountedPtr<TlsChannelSecurityConnector> c =
+  if (identity_cert_error != GRPC_ERROR_NONE) {
-      grpc_core::MakeRefCounted<TlsChannelSecurityConnector>(
+    gpr_log(GPR_ERROR,
-          std::move(channel_creds), std::move(request_metadata_creds),
+            "TlsChannelCertificateWatcher getting identity_cert_error: %s",
-          target_name, overridden_target_name);
+            grpc_error_string(identity_cert_error));
  if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
    gpr_log(GPR_ERROR, "Could not initialize client handshaker factory.");
    return nullptr;
  }
-  return c;
+  GRPC_ERROR_UNREF(root_cert_error);
  GRPC_ERROR_UNREF(identity_cert_error);
 }
-grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
+// TODO(ZhenLian): implement the logic to signal waiting handshakers once
-    tsi_ssl_session_cache* ssl_session_cache) {
+// BlockOnInitialCredentialHandshaker is implemented.
-  const TlsCredentials* creds =
+grpc_security_status
-      static_cast<const TlsCredentials*>(channel_creds());
+TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
  bool skip_server_certificate_verification =
-      creds->options().server_verification_option() ==
+      options_->server_verification_option() ==
      GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION;
  /* Free the client handshaker factory if exists. */
-  if (client_handshaker_factory_) {
+  if (client_handshaker_factory_ != nullptr) {
    tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
  }
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
+  std::string pem_root_certs;
-      key_materials_config_->pem_key_cert_pair_list());
+  if (pem_root_certs_.has_value()) {
    // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
    // std::string and absl::string_view to avoid making another copy here.
    pem_root_certs = std::string(*pem_root_certs_);
  }
  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = nullptr;
  if (pem_key_cert_pair_list_.has_value()) {
    pem_key_cert_pair = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
  }
  grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
-      pem_key_cert_pair, key_materials_config_->pem_root_certs(),
+      pem_key_cert_pair,
      pem_root_certs.empty() ? nullptr : pem_root_certs.c_str(),
      skip_server_certificate_verification,
-      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
+      grpc_get_tsi_tls_version(options_->min_tls_version()),
-      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
+      grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
-      ssl_session_cache, &client_handshaker_factory_);
+      &client_handshaker_factory_);
  /* Free memory. */
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
+  if (pem_key_cert_pair != nullptr) {
-  return status;
+    grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
 }
 grpc_security_status TlsChannelSecurityConnector::InitializeHandshakerFactory(
    tsi_ssl_session_cache* ssl_session_cache) {
  grpc_core::MutexLock lock(&mu_);
  const TlsCredentials* creds =
      static_cast<const TlsCredentials*>(channel_creds());
  grpc_tls_key_materials_config* key_materials_config =
      creds->options().key_materials_config();
  // key_materials_config_->set_key_materials will handle the copying of the key
  // materials users provided
  if (key_materials_config != nullptr) {
    key_materials_config_->set_key_materials(
        key_materials_config->pem_root_certs(),
        key_materials_config->pem_key_cert_pair_list());
  }
  grpc_ssl_certificate_config_reload_status reload_status =
      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  /** If |creds->options()| has a credential reload config, then the call to
   *  |TlsFetchKeyMaterials| will use it to update the root cert and
   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
                           &reload_status) != GRPC_STATUS_OK) {
    /* Raise an error if key materials are not populated. */
    return GRPC_SECURITY_ERROR;
  }
  return ReplaceHandshakerFactory(ssl_session_cache);
 }
 grpc_security_status TlsChannelSecurityConnector::RefreshHandshakerFactory() {
  grpc_core::MutexLock lock(&mu_);
  const TlsCredentials* creds =
      static_cast<const TlsCredentials*>(channel_creds());
  grpc_ssl_certificate_config_reload_status reload_status =
      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  /** If |creds->options()| has a credential reload config, then the call to
   *  |TlsFetchKeyMaterials| will use it to update the root cert and
   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
                           &reload_status) != GRPC_STATUS_OK) {
    return GRPC_SECURITY_ERROR;
  }
  if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
    // Re-use existing handshaker factory.
    return GRPC_SECURITY_OK;
  } else {
    return ReplaceHandshakerFactory(nullptr);
  }
  return status;
 }
 void TlsChannelSecurityConnector::ServerAuthorizationCheckDone(
@ -457,40 +428,86 @@ void TlsChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
  delete arg;
 }
 // -------------------server security connector-------------------
 grpc_core::RefCountedPtr<grpc_server_security_connector>
 TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options) {
  if (server_creds == nullptr) {
    gpr_log(GPR_ERROR,
            "server_creds is nullptr in "
            "TlsServerSecurityConnectorCreate()");
    return nullptr;
  }
  if (options == nullptr) {
    gpr_log(GPR_ERROR,
            "options is nullptr in "
            "TlsServerSecurityConnectorCreate()");
    return nullptr;
  }
  grpc_core::RefCountedPtr<TlsServerSecurityConnector> c =
      grpc_core::MakeRefCounted<TlsServerSecurityConnector>(
          std::move(server_creds), std::move(options));
  return c;
 }
 TlsServerSecurityConnector::TlsServerSecurityConnector(
-    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
+    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
    : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
-                                     std::move(server_creds)) {
+                                     std::move(server_creds)),
-  key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
+      options_(std::move(options)) {
  // Create a watcher.
  auto watcher_ptr = absl::make_unique<TlsServerCertificateWatcher>(this);
  certificate_watcher_ = watcher_ptr.get();
  // Register the watcher with the distributor.
  grpc_tls_certificate_distributor* distributor =
      options_->certificate_distributor();
  absl::optional<std::string> watched_root_cert_name;
  if (options_->watch_root_cert()) {
    watched_root_cert_name = options_->root_cert_name();
  }
  absl::optional<std::string> watched_identity_cert_name;
  if (options_->watch_identity_pair()) {
    watched_identity_cert_name = options_->identity_cert_name();
  }
  distributor->WatchTlsCertificates(std::move(watcher_ptr),
                                    watched_root_cert_name,
                                    watched_identity_cert_name);
 }
 TlsServerSecurityConnector::~TlsServerSecurityConnector() {
  // Cancel all the watchers.
  grpc_tls_certificate_distributor* distributor =
      options_->certificate_distributor();
  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
  if (server_handshaker_factory_ != nullptr) {
    tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
  }
  if (key_materials_config_.get() != nullptr) {
    key_materials_config_->Unref();
  }
 }
 void TlsServerSecurityConnector::add_handshakers(
    const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
    grpc_core::HandshakeManager* handshake_mgr) {
-  /* Refresh handshaker factory if needed. */
+  grpc_core::MutexLock lock(&mu_);
-  if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
+  if (server_handshaker_factory_ != nullptr) {
-    gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
+    // Instantiate TSI handshaker.
-    return;
+    tsi_handshaker* tsi_hs = nullptr;
-  }
+    tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
-  /* Create a TLS TSI handshaker for server. */
+        server_handshaker_factory_, &tsi_hs);
-  tsi_handshaker* tsi_hs = nullptr;
+    if (result != TSI_OK) {
-  tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
+      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-      server_handshaker_factory_, &tsi_hs);
+              tsi_result_to_string(result));
-  if (result != TSI_OK) {
+      return;
-    gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+    }
-            tsi_result_to_string(result));
+    // Create handshakers.
    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
    return;
  }
-  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
+  // TODO(ZhenLian): Implement the logic(delegation to
  // BlockOnInitialCredentialHandshaker) when certificates are not ready.
  gpr_log(GPR_ERROR, "%s not supported yet.",
          "Server BlockOnInitialCredentialHandshaker");
 }
 void TlsServerSecurityConnector::check_peer(
@ -510,43 +527,79 @@ int TlsServerSecurityConnector::cmp(
      static_cast<const grpc_server_security_connector*>(other));
 }
-grpc_core::RefCountedPtr<grpc_server_security_connector>
+void TlsServerSecurityConnector::TlsServerCertificateWatcher::
-TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
+    OnCertificatesChanged(
-    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
+        absl::optional<absl::string_view> root_certs,
-  if (server_creds == nullptr) {
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) {
  GPR_ASSERT(security_connector_ != nullptr);
  grpc_core::MutexLock lock(&security_connector_->mu_);
  if (root_certs.has_value()) {
    security_connector_->pem_root_certs_ = root_certs;
  }
  if (key_cert_pairs.has_value()) {
    security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
  }
  bool root_being_watched = security_connector_->options_->watch_root_cert();
  bool root_has_value = security_connector_->pem_root_certs_.has_value();
  bool identity_being_watched =
      security_connector_->options_->watch_identity_pair();
  bool identity_has_value =
      security_connector_->pem_key_cert_pair_list_.has_value();
  if ((root_being_watched && root_has_value && identity_being_watched &&
       identity_has_value) ||
      (root_being_watched && root_has_value && !identity_being_watched) ||
      (!root_being_watched && identity_being_watched && identity_has_value)) {
    if (security_connector_->UpdateHandshakerFactoryLocked() !=
        GRPC_SECURITY_OK) {
      gpr_log(GPR_ERROR, "Update handshaker factory failed.");
    }
  }
 }
 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
 // BlockOnInitialCredentialHandshaker is implemented.
 void TlsServerSecurityConnector::TlsServerCertificateWatcher::OnError(
    grpc_error* root_cert_error, grpc_error* identity_cert_error) {
  if (root_cert_error != GRPC_ERROR_NONE) {
    gpr_log(GPR_ERROR,
-            "server_creds is nullptr in "
+            "TlsServerCertificateWatcher getting root_cert_error: %s",
-            "TlsServerSecurityConnectorCreate()");
+            grpc_error_string(root_cert_error));
    return nullptr;
  }
-  grpc_core::RefCountedPtr<TlsServerSecurityConnector> c =
+  if (identity_cert_error != GRPC_ERROR_NONE) {
-      grpc_core::MakeRefCounted<TlsServerSecurityConnector>(
+    gpr_log(GPR_ERROR,
-          std::move(server_creds));
+            "TlsServerCertificateWatcher getting identity_cert_error: %s",
-  if (c->InitializeHandshakerFactory() != GRPC_SECURITY_OK) {
+            grpc_error_string(identity_cert_error));
    gpr_log(GPR_ERROR, "Could not initialize server handshaker factory.");
    return nullptr;
  }
-  return c;
+  GRPC_ERROR_UNREF(root_cert_error);
  GRPC_ERROR_UNREF(identity_cert_error);
 }
-grpc_security_status TlsServerSecurityConnector::ReplaceHandshakerFactory() {
+// TODO(ZhenLian): implement the logic to signal waiting handshakers once
-  const TlsServerCredentials* creds =
+// BlockOnInitialCredentialHandshaker is implemented.
-      static_cast<const TlsServerCredentials*>(server_creds());
+grpc_security_status
 TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
  /* Free the server handshaker factory if exists. */
-  if (server_handshaker_factory_) {
+  if (server_handshaker_factory_ != nullptr) {
    tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
  }
-  GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
+  // The identity certs on the server side shouldn't be empty.
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
+  GPR_ASSERT(pem_key_cert_pair_list_.has_value());
-      key_materials_config_->pem_key_cert_pair_list());
+  GPR_ASSERT(!(*pem_key_cert_pair_list_).empty());
-  size_t num_key_cert_pairs =
+  std::string pem_root_certs;
-      key_materials_config_->pem_key_cert_pair_list().size();
+  if (pem_root_certs_.has_value()) {
    // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
    // std::string and absl::string_view to avoid making another copy here.
    pem_root_certs = std::string(*pem_root_certs_);
  }
  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
  pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
  size_t num_key_cert_pairs = (*pem_key_cert_pair_list_).size();
  grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
      pem_key_cert_pairs, num_key_cert_pairs,
-      key_materials_config_->pem_root_certs(),
+      pem_root_certs.empty() ? nullptr : pem_root_certs.c_str(),
-      creds->options().cert_request_type(),
+      options_->cert_request_type(),
-      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
+      grpc_get_tsi_tls_version(options_->min_tls_version()),
-      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
+      grpc_get_tsi_tls_version(options_->max_tls_version()),
      &server_handshaker_factory_);
  /* Free memory. */
  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
@ -554,53 +607,18 @@ grpc_security_status TlsServerSecurityConnector::ReplaceHandshakerFactory() {
  return status;
 }
-grpc_security_status TlsServerSecurityConnector::InitializeHandshakerFactory() {
+namespace internal {
  grpc_core::MutexLock lock(&mu_);
  const TlsServerCredentials* creds =
      static_cast<const TlsServerCredentials*>(server_creds());
  grpc_tls_key_materials_config* key_materials_config =
      creds->options().key_materials_config();
  if (key_materials_config != nullptr) {
    key_materials_config_->set_key_materials(
        key_materials_config->pem_root_certs(),
        key_materials_config->pem_key_cert_pair_list());
  }
  grpc_ssl_certificate_config_reload_status reload_status =
      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  /** If |creds->options()| has a credential reload config, then the call to
   *  |TlsFetchKeyMaterials| will use it to update the root cert and
   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
   *  credentials, and an error code if not. **/
  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
                           &reload_status) != GRPC_STATUS_OK) {
    /* Raise an error if key materials are not populated. */
    return GRPC_SECURITY_ERROR;
  }
  return ReplaceHandshakerFactory();
 }
-grpc_security_status TlsServerSecurityConnector::RefreshHandshakerFactory() {
+grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {
-  grpc_core::MutexLock lock(&mu_);
+  /* Check the peer name if specified. */
-  const TlsServerCredentials* creds =
+  if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
-      static_cast<const TlsServerCredentials*>(server_creds());
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-  grpc_ssl_certificate_config_reload_status reload_status =
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+            .c_str());
  /** If |creds->options()| has a credential reload config, then the call to
   *  |TlsFetchKeyMaterials| will use it to update the root cert and
   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
   *  credentials, and an error code if not. **/
  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
                           &reload_status) != GRPC_STATUS_OK) {
    return GRPC_SECURITY_ERROR;
  }
  if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
    /* At this point, we should have key materials populated. */
    return GRPC_SECURITY_OK;
  } else {
    return ReplaceHandshakerFactory();
  }
  return GRPC_ERROR_NONE;
 }
 }  // namespace internal
 }  // namespace grpc_core
--- a/src/core/lib/security/security_connector/tls/tls_security_connector.h
+++ b/src/core/lib/security/security_connector/tls/tls_security_connector.h
@ -23,13 +23,14 @@
 #include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls"
 namespace grpc_core {
-// TLS channel security connector.
+// Channel security connector using TLS as transport security protocol.
 class TlsChannelSecurityConnector final
    : public grpc_channel_security_connector {
 public:
@ -37,14 +38,18 @@ class TlsChannelSecurityConnector final
  static grpc_core::RefCountedPtr<grpc_channel_security_connector>
  CreateTlsChannelSecurityConnector(
      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
      grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
      const char* target_name, const char* overridden_target_name,
      tsi_ssl_session_cache* ssl_session_cache);
  TlsChannelSecurityConnector(
      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
      grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
-      const char* target_name, const char* overridden_target_name);
+      const char* target_name, const char* overridden_target_name,
      tsi_ssl_session_cache* ssl_session_cache);
  ~TlsChannelSecurityConnector() override;
  void add_handshakers(const grpc_channel_args* args,
@ -64,15 +69,45 @@ class TlsChannelSecurityConnector final
  void cancel_check_call_host(grpc_closure* on_call_host_checked,
                              grpc_error* error) override;
- private:
+  tsi_ssl_client_handshaker_factory* ClientHandshakerFactoryForTesting() {
-  // Initialize SSL TSI client handshaker factory.
+    grpc_core::MutexLock lock(&mu_);
-  grpc_security_status InitializeHandshakerFactory(
+    return client_handshaker_factory_;
-      tsi_ssl_session_cache* ssl_session_cache);
+  };
-  // A util function to create a new client handshaker factory to replace
+  const absl::optional<absl::string_view>& RootCertsForTesting() {
-  // the existing one if exists.
+    grpc_core::MutexLock lock(&mu_);
-  grpc_security_status ReplaceHandshakerFactory(
+    return pem_root_certs_;
-      tsi_ssl_session_cache* ssl_session_cache);
+  }
  const absl::optional<grpc_core::PemKeyCertPairList>&
  KeyCertPairListForTesting() {
    grpc_core::MutexLock lock(&mu_);
    return pem_key_cert_pair_list_;
  }
 private:
  // A watcher that watches certificate updates from
  // grpc_tls_certificate_distributor. It will never outlive
  // |security_connector_|.
  class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor::
                                           TlsCertificatesWatcherInterface {
   public:
    explicit TlsChannelCertificateWatcher(
        TlsChannelSecurityConnector* security_connector)
        : security_connector_(security_connector) {}
    void OnCertificatesChanged(
        absl::optional<absl::string_view> root_certs,
        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override;
    void OnError(grpc_error* root_cert_error,
                 grpc_error* identity_cert_error) override;
   private:
    TlsChannelSecurityConnector* security_connector_ = nullptr;
  };
  // Updates |client_handshaker_factory_| when the certificates that
  // |certificate_watcher_| is watching get updated.
  grpc_security_status UpdateHandshakerFactoryLocked();
  // gRPC-provided callback executed by application, which servers to bring the
  // control back to gRPC core.
@ -91,29 +126,32 @@ class TlsChannelSecurityConnector final
  static void ServerAuthorizationCheckArgDestroy(
      grpc_tls_server_authorization_check_arg* arg);
  // A util function to refresh SSL TSI client handshaker factory with a valid
  // credential.
  grpc_security_status RefreshHandshakerFactory();
  grpc_core::Mutex mu_;
-  grpc_closure* on_peer_checked_;
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
      certificate_watcher_ = nullptr;
  grpc_closure* on_peer_checked_ = nullptr;
  std::string target_name_;
  std::string overridden_target_name_;
  tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
-  grpc_tls_server_authorization_check_arg* check_arg_;
+  grpc_tls_server_authorization_check_arg* check_arg_ = nullptr;
-  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
+  tsi_ssl_session_cache* ssl_session_cache_ = nullptr;
  absl::optional<absl::string_view> pem_root_certs_;
  absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_;
 };
-// TLS server security connector.
+// Server security connector using TLS as transport security protocol.
 class TlsServerSecurityConnector final : public grpc_server_security_connector {
 public:
  // static factory method to create a TLS server security connector.
  static grpc_core::RefCountedPtr<grpc_server_security_connector>
  CreateTlsServerSecurityConnector(
-      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
+      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
      grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
-  explicit TlsServerSecurityConnector(
+  TlsServerSecurityConnector(
-      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
+      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
      grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
  ~TlsServerSecurityConnector() override;
  void add_handshakers(const grpc_channel_args* args,
@ -126,58 +164,65 @@ class TlsServerSecurityConnector final : public grpc_server_security_connector {
  int cmp(const grpc_security_connector* other) const override;
- private:
+  tsi_ssl_server_handshaker_factory* ServerHandshakerFactoryForTesting() {
-  // Initialize SSL TSI server handshaker factory.
+    grpc_core::MutexLock lock(&mu_);
-  grpc_security_status InitializeHandshakerFactory();
+    return server_handshaker_factory_;
  };
-  // A util function to create a new server handshaker factory to replace the
+  const absl::optional<absl::string_view>& RootCertsForTesting() {
-  // existing once if exists.
+    grpc_core::MutexLock lock(&mu_);
-  grpc_security_status ReplaceHandshakerFactory();
+    return pem_root_certs_;
  }
-  // A util function to refresh SSL TSI server handshaker factory with a valid
+  const absl::optional<grpc_core::PemKeyCertPairList>&
-  // credential.
+  KeyCertPairListForTesting() {
-  grpc_security_status RefreshHandshakerFactory();
+    grpc_core::MutexLock lock(&mu_);
    return pem_key_cert_pair_list_;
  }
 private:
  // A watcher that watches certificate updates from
  // grpc_tls_certificate_distributor. It will never outlive
  // |security_connector_|.
  class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor::
                                          TlsCertificatesWatcherInterface {
   public:
    explicit TlsServerCertificateWatcher(
        TlsServerSecurityConnector* security_connector)
        : security_connector_(security_connector) {}
    void OnCertificatesChanged(
        absl::optional<absl::string_view> root_certs,
        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override;
    void OnError(grpc_error* root_cert_error,
                 grpc_error* identity_cert_error) override;
   private:
    TlsServerSecurityConnector* security_connector_ = nullptr;
  };
  // Updates |server_handshaker_factory_| when the certificates that
  // |certificate_watcher_| is watching get updated.
  grpc_security_status UpdateHandshakerFactoryLocked();
  grpc_core::Mutex mu_;
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
  grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
      certificate_watcher_ = nullptr;
  tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
-  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
+  absl::optional<absl::string_view> pem_root_certs_;
  absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_;
 };
 // ---- Functions below are exposed for testing only -----------------------
-
+namespace internal {
 /** The |TlsFetchKeyMaterials| API ensures that |key_materials_config| has a
 *  non-empty pem-key-cert pair list. This is done as follows:
 *  - if |options| is equipped with a credential reload config, then this
 *    methods uses credential reloading to populate |key_materials_config|, and
 *    afterwards it populates |reload_status| with the status of this operation.
 *    In particular, any data stored in |key_materials_config| is overwritten.
 *  - if |options| has no credential reload config, then:
 *    - if |key_materials_config| already has a non-empty pem-key-cert pair
 *      list or is called by a client, then the method returns |GRPC_STATUS_OK|.
 *    - if |key_materials_config| has an empty pem-key-cert pair list and is
 *      called by a server, then the method return an error code.
 *
 *  The arguments are detailed below:
 *  - key_materials_config: a key materials config that will be populated by the
 *    method on success; the caller should not pass in nullptr. Any data held by
 *    the config will be overwritten.
 *  - options: the TLS credentials options whose credential reloading config
 *    will be used to populate |key_materials_config|.
 *  - is_server: true denotes that this method is called by a server, and
 *    false denotes that this method is called by a client.
 *  - status: the status of the credential reloading after the method
 *    returns; the caller should not pass in nullptr. **/
 grpc_status_code TlsFetchKeyMaterials(
    const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
        key_materials_config,
    const grpc_tls_credentials_options& options, bool is_server,
    grpc_ssl_certificate_config_reload_status* status);
 // TlsCheckHostName checks if |peer_name| matches the identity information
 // contained in |peer|. This is AKA hostname check.
 grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer);
 }  // namespace internal
 }  // namespace grpc_core
-#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H \
+#endif  // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
        */
--- a/src/cpp/client/secure_credentials.cc
+++ b/src/cpp/client/secure_credentials.cc
@ -295,7 +295,7 @@ std::shared_ptr<ChannelCredentials> LocalCredentials(
 // Builds TLS Credentials given TLS options.
 std::shared_ptr<ChannelCredentials> TlsCredentials(
-    const TlsCredentialsOptions& options) {
+    const TlsChannelCredentialsOptions& options) {
  return internal::WrapChannelCredentials(
      grpc_tls_credentials_create(options.c_credentials_options()));
 }
--- a/src/cpp/common/tls_certificate_provider.cc
+++ b/src/cpp/common/tls_certificate_provider.cc
@ -0,0 +1,45 @@
 //
 // Copyright 2020 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
 #include <grpcpp/security/tls_certificate_provider.h>
 #include "absl/container/inlined_vector.h"
 namespace grpc {
 namespace experimental {
 StaticDataCertificateProvider::StaticDataCertificateProvider(
    const std::string& root_certificate,
    const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs) {
  GPR_ASSERT(!root_certificate.empty() || !identity_key_cert_pairs.empty());
  grpc_tls_identity_pairs* pairs_core = grpc_tls_identity_pairs_create();
  for (const IdentityKeyCertPair& pair : identity_key_cert_pairs) {
    grpc_tls_identity_pairs_add_pair(pairs_core, pair.private_key.c_str(),
                                     pair.certificate_chain.c_str());
  }
  c_provider_ = grpc_tls_certificate_provider_static_data_create(
      root_certificate.c_str(), pairs_core);
  GPR_ASSERT(c_provider_ != nullptr);
 };
 StaticDataCertificateProvider::~StaticDataCertificateProvider() {
  grpc_tls_certificate_provider_release(c_provider_);
 };
 }  // namespace experimental
 }  // namespace grpc
--- a/src/cpp/common/tls_credentials_options.cc
+++ b/src/cpp/common/tls_credentials_options.cc
@ -16,178 +16,22 @@
 *
 */
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
 #include <grpcpp/security/tls_credentials_options.h>
 #include "absl/container/inlined_vector.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 #include "src/cpp/common/tls_credentials_options_util.h"
 namespace grpc {
 namespace experimental {
 /** TLS key materials config API implementation **/
 void TlsKeyMaterialsConfig::set_pem_root_certs(
    const std::string& pem_root_certs) {
  pem_root_certs_ = pem_root_certs;
 }
 void TlsKeyMaterialsConfig::add_pem_key_cert_pair(
    const PemKeyCertPair& pem_key_cert_pair) {
  pem_key_cert_pair_list_.push_back(pem_key_cert_pair);
 }
 void TlsKeyMaterialsConfig::set_key_materials(
    const std::string& pem_root_certs,
    const std::vector<PemKeyCertPair>& pem_key_cert_pair_list) {
  pem_key_cert_pair_list_ = pem_key_cert_pair_list;
  pem_root_certs_ = pem_root_certs;
 }
 /** TLS credential reload arg API implementation **/
 TlsCredentialReloadArg::TlsCredentialReloadArg(
    grpc_tls_credential_reload_arg* arg)
    : c_arg_(arg) {
  if (c_arg_ != nullptr && c_arg_->context != nullptr) {
    gpr_log(GPR_ERROR, "c_arg context has already been set");
  }
  c_arg_->context = static_cast<void*>(this);
  c_arg_->destroy_context = &TlsCredentialReloadArgDestroyContext;
 }
 TlsCredentialReloadArg::~TlsCredentialReloadArg() {}
 void* TlsCredentialReloadArg::cb_user_data() const {
  return c_arg_->cb_user_data;
 }
 bool TlsCredentialReloadArg::is_pem_key_cert_pair_list_empty() const {
  return c_arg_->key_materials_config->pem_key_cert_pair_list().empty();
 }
 grpc_ssl_certificate_config_reload_status TlsCredentialReloadArg::status()
    const {
  return c_arg_->status;
 }
 std::string TlsCredentialReloadArg::error_details() const {
  return c_arg_->error_details->error_details();
 }
 void TlsCredentialReloadArg::set_cb_user_data(void* cb_user_data) {
  c_arg_->cb_user_data = cb_user_data;
 }
 void TlsCredentialReloadArg::set_pem_root_certs(
    const std::string& pem_root_certs) {
  ::grpc_core::UniquePtr<char> c_pem_root_certs(
      gpr_strdup(pem_root_certs.c_str()));
  c_arg_->key_materials_config->set_pem_root_certs(std::move(c_pem_root_certs));
 }
 namespace {
 ::grpc_core::PemKeyCertPair ConvertToCorePemKeyCertPair(
    const TlsKeyMaterialsConfig::PemKeyCertPair& pem_key_cert_pair) {
  grpc_ssl_pem_key_cert_pair* ssl_pair =
      (grpc_ssl_pem_key_cert_pair*)gpr_malloc(
          sizeof(grpc_ssl_pem_key_cert_pair));
  ssl_pair->private_key = gpr_strdup(pem_key_cert_pair.private_key.c_str());
  ssl_pair->cert_chain = gpr_strdup(pem_key_cert_pair.cert_chain.c_str());
  return ::grpc_core::PemKeyCertPair(ssl_pair);
 }
 }  //  namespace
 void TlsCredentialReloadArg::add_pem_key_cert_pair(
    const TlsKeyMaterialsConfig::PemKeyCertPair& pem_key_cert_pair) {
  c_arg_->key_materials_config->add_pem_key_cert_pair(
      ConvertToCorePemKeyCertPair(pem_key_cert_pair));
 }
 void TlsCredentialReloadArg::set_key_materials(
    const std::string& pem_root_certs,
    std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pem_key_cert_pair_list) {
  /** Initialize the |key_materials_config| field of |c_arg_|, if it has not
   *  already been done. **/
  if (c_arg_->key_materials_config == nullptr) {
    c_arg_->key_materials_config = grpc_tls_key_materials_config_create();
  }
  /** Convert |pem_key_cert_pair_list| to an inlined vector of ssl pairs. **/
  ::absl::InlinedVector<::grpc_core::PemKeyCertPair, 1>
      c_pem_key_cert_pair_list;
  for (const auto& key_cert_pair : pem_key_cert_pair_list) {
    c_pem_key_cert_pair_list.emplace_back(
        ConvertToCorePemKeyCertPair(key_cert_pair));
  }
  /** Populate the key materials config field of |c_arg_|. **/
  c_arg_->key_materials_config->set_key_materials(pem_root_certs.c_str(),
                                                  c_pem_key_cert_pair_list);
 }
 void TlsCredentialReloadArg::set_key_materials_config(
    const std::shared_ptr<TlsKeyMaterialsConfig>& key_materials_config) {
  if (key_materials_config == nullptr) {
    c_arg_->key_materials_config = nullptr;
    return;
  }
  ::absl::InlinedVector<::grpc_core::PemKeyCertPair, 1>
      c_pem_key_cert_pair_list;
  for (const auto& key_cert_pair :
       key_materials_config->pem_key_cert_pair_list()) {
    grpc_ssl_pem_key_cert_pair* ssl_pair =
        (grpc_ssl_pem_key_cert_pair*)gpr_malloc(
            sizeof(grpc_ssl_pem_key_cert_pair));
    ssl_pair->private_key = gpr_strdup(key_cert_pair.private_key.c_str());
    ssl_pair->cert_chain = gpr_strdup(key_cert_pair.cert_chain.c_str());
    ::grpc_core::PemKeyCertPair c_pem_key_cert_pair =
        ::grpc_core::PemKeyCertPair(ssl_pair);
    c_pem_key_cert_pair_list.emplace_back(std::move(c_pem_key_cert_pair));
  }
  ::grpc_core::UniquePtr<char> c_pem_root_certs(
      gpr_strdup(key_materials_config->pem_root_certs().c_str()));
  if (c_arg_->key_materials_config == nullptr) {
    c_arg_->key_materials_config = grpc_tls_key_materials_config_create();
  }
  c_arg_->key_materials_config->set_key_materials(
      key_materials_config->pem_root_certs().c_str(), c_pem_key_cert_pair_list);
  c_arg_->key_materials_config->set_version(key_materials_config->version());
 }
 void TlsCredentialReloadArg::set_status(
    grpc_ssl_certificate_config_reload_status status) {
  c_arg_->status = status;
 }
 void TlsCredentialReloadArg::set_error_details(
    const std::string& error_details) {
  c_arg_->error_details->set_error_details(error_details.c_str());
 }
 void TlsCredentialReloadArg::OnCredentialReloadDoneCallback() {
  if (c_arg_->cb == nullptr) {
    gpr_log(GPR_ERROR, "credential reload arg callback API is nullptr");
    return;
  }
  c_arg_->cb(c_arg_);
 }
 /** gRPC TLS credential reload config API implementation **/
 TlsCredentialReloadConfig::TlsCredentialReloadConfig(
    std::shared_ptr<TlsCredentialReloadInterface> credential_reload_interface)
    : credential_reload_interface_(std::move(credential_reload_interface)) {
  c_config_ = grpc_tls_credential_reload_config_create(
      nullptr, &TlsCredentialReloadConfigCSchedule,
      &TlsCredentialReloadConfigCCancel, nullptr);
  c_config_->set_context(static_cast<void*>(this));
 }
 TlsCredentialReloadConfig::~TlsCredentialReloadConfig() {}
 /** gRPC TLS server authorization check arg API implementation **/
 TlsServerAuthorizationCheckArg::TlsServerAuthorizationCheckArg(
    grpc_tls_server_authorization_check_arg* arg)
    : c_arg_(arg) {
-  if (c_arg_ != nullptr && c_arg_->context != nullptr) {
+  GPR_ASSERT(c_arg_ != nullptr);
  if (c_arg_->context != nullptr) {
    gpr_log(GPR_ERROR, "c_arg context has already been set");
  }
  c_arg_->context = static_cast<void*>(this);
@ -265,7 +109,6 @@ void TlsServerAuthorizationCheckArg::OnServerAuthorizationCheckDoneCallback() {
  c_arg_->cb(c_arg_);
 }
 /** gRPC TLS server authorization check config API implementation. **/
 TlsServerAuthorizationCheckConfig::TlsServerAuthorizationCheckConfig(
    std::shared_ptr<TlsServerAuthorizationCheckInterface>
        server_authorization_check_interface)
@ -277,67 +120,66 @@ TlsServerAuthorizationCheckConfig::TlsServerAuthorizationCheckConfig(
  c_config_->set_context(static_cast<void*>(this));
 }
-TlsServerAuthorizationCheckConfig::~TlsServerAuthorizationCheckConfig() {}
+TlsServerAuthorizationCheckConfig::~TlsServerAuthorizationCheckConfig() {
-
+  grpc_tls_server_authorization_check_config_release(c_config_);
-/** gRPC TLS credential options API implementation **/
+}
 TlsCredentialsOptions::TlsCredentialsOptions(
    grpc_tls_server_verification_option server_verification_option,
    std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config,
    std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config,
    std::shared_ptr<TlsServerAuthorizationCheckConfig>
        server_authorization_check_config)
    : TlsCredentialsOptions(
          GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, server_verification_option,
          std::move(key_materials_config), std::move(credential_reload_config),
          std::move(server_authorization_check_config)) {}
 TlsCredentialsOptions::TlsCredentialsOptions(
    grpc_ssl_client_certificate_request_type cert_request_type,
    std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config,
    std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config)
    : TlsCredentialsOptions(cert_request_type, GRPC_TLS_SERVER_VERIFICATION,
                            std::move(key_materials_config),
                            std::move(credential_reload_config), nullptr) {}
 TlsCredentialsOptions::TlsCredentialsOptions(
-    grpc_ssl_client_certificate_request_type cert_request_type,
+    std::shared_ptr<CertificateProviderInterface> certificate_provider)
-    grpc_tls_server_verification_option server_verification_option,
+    : certificate_provider_(std::move(certificate_provider)) {
    std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config,
    std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config,
    std::shared_ptr<TlsServerAuthorizationCheckConfig>
        server_authorization_check_config)
    : cert_request_type_(cert_request_type),
      server_verification_option_(server_verification_option),
      key_materials_config_(std::move(key_materials_config)),
      credential_reload_config_(std::move(credential_reload_config)),
      server_authorization_check_config_(
          std::move(server_authorization_check_config)) {
  c_credentials_options_ = grpc_tls_credentials_options_create();
-  grpc_tls_credentials_options_set_cert_request_type(c_credentials_options_,
+  if (certificate_provider_ != nullptr) {
-                                                     cert_request_type_);
+    grpc_tls_credentials_options_set_certificate_provider(
-  if (key_materials_config_ != nullptr) {
+        c_credentials_options_, certificate_provider_->c_provider());
    grpc_tls_credentials_options_set_key_materials_config(
        c_credentials_options_,
        ConvertToCKeyMaterialsConfig(key_materials_config_));
  }
  if (credential_reload_config_ != nullptr) {
    grpc_tls_credentials_options_set_credential_reload_config(
        c_credentials_options_, credential_reload_config_->c_config());
  }
-  if (server_authorization_check_config_ != nullptr) {
+}
 void TlsCredentialsOptions::watch_root_certs() {
  grpc_tls_credentials_options_watch_root_certs(c_credentials_options_);
 }
 void TlsCredentialsOptions::set_root_cert_name(
    const std::string& root_cert_name) {
  grpc_tls_credentials_options_set_root_cert_name(c_credentials_options_,
                                                  root_cert_name.c_str());
 }
 void TlsCredentialsOptions::watch_identity_key_cert_pairs() {
  grpc_tls_credentials_options_watch_identity_key_cert_pairs(
      c_credentials_options_);
 }
 void TlsCredentialsOptions::set_identity_cert_name(
    const std::string& identity_cert_name) {
  grpc_tls_credentials_options_set_identity_cert_name(
      c_credentials_options_, identity_cert_name.c_str());
 }
 void TlsChannelCredentialsOptions::set_server_verification_option(
    grpc_tls_server_verification_option server_verification_option) {
  grpc_tls_credentials_options* options = c_credentials_options();
  GPR_ASSERT(options != nullptr);
  grpc_tls_credentials_options_set_server_verification_option(
      options, server_verification_option);
 }
 void TlsChannelCredentialsOptions::set_server_authorization_check_config(
    std::shared_ptr<TlsServerAuthorizationCheckConfig> config) {
  grpc_tls_credentials_options* options = c_credentials_options();
  GPR_ASSERT(options != nullptr);
  if (config != nullptr) {
    grpc_tls_credentials_options_set_server_authorization_check_config(
-        c_credentials_options_, server_authorization_check_config_->c_config());
+        options, config->c_config());
  }
  grpc_tls_credentials_options_set_server_verification_option(
      c_credentials_options_, server_verification_option);
 }
-/** Whenever a TlsCredentialsOptions instance is created, the caller takes
+void TlsServerCredentialsOptions::set_cert_request_type(
- *  ownership of the c_credentials_options_ pointer (see e.g. the implementation
+    grpc_ssl_client_certificate_request_type cert_request_type) {
- *  of the TlsCredentials API in secure_credentials.cc). For this reason, the
+  grpc_tls_credentials_options* options = c_credentials_options();
- *  TlsCredentialsOptions destructor is not responsible for freeing
+  GPR_ASSERT(options != nullptr);
- *  c_credentials_options_. **/
+  grpc_tls_credentials_options_set_cert_request_type(options,
-TlsCredentialsOptions::~TlsCredentialsOptions() {}
+                                                     cert_request_type);
 }
 }  // namespace experimental
 }  // namespace grpc
--- a/src/cpp/common/tls_credentials_options_util.cc
+++ b/src/cpp/common/tls_credentials_options_util.cc
@ -19,85 +19,12 @@
 #include "absl/container/inlined_vector.h"
 #include <grpcpp/security/tls_credentials_options.h>
 #include "src/cpp/common/tls_credentials_options_util.h"
 namespace grpc {
 namespace experimental {
 /** Converts the Cpp key materials to C key materials; this allocates memory for
 * the C key materials. Note that the user must free
 * the underlying pointer to private key and cert chain duplicates; they are not
 * freed when the grpc_core::UniquePtr<char> member variables of PemKeyCertPair
 * are unused. Similarly, the user must free the underlying pointer to
 * c_pem_root_certs. **/
 grpc_tls_key_materials_config* ConvertToCKeyMaterialsConfig(
    const std::shared_ptr<TlsKeyMaterialsConfig>& config) {
  if (config == nullptr) {
    return nullptr;
  }
  grpc_tls_key_materials_config* c_config =
      grpc_tls_key_materials_config_create();
  ::absl::InlinedVector<::grpc_core::PemKeyCertPair, 1>
      c_pem_key_cert_pair_list;
  for (const auto& key_cert_pair : config->pem_key_cert_pair_list()) {
    grpc_ssl_pem_key_cert_pair* ssl_pair =
        (grpc_ssl_pem_key_cert_pair*)gpr_malloc(
            sizeof(grpc_ssl_pem_key_cert_pair));
    ssl_pair->private_key = gpr_strdup(key_cert_pair.private_key.c_str());
    ssl_pair->cert_chain = gpr_strdup(key_cert_pair.cert_chain.c_str());
    ::grpc_core::PemKeyCertPair c_pem_key_cert_pair =
        ::grpc_core::PemKeyCertPair(ssl_pair);
    c_pem_key_cert_pair_list.push_back(::std::move(c_pem_key_cert_pair));
  }
  c_config->set_key_materials(config->pem_root_certs().c_str(),
                              c_pem_key_cert_pair_list);
  c_config->set_version(config->version());
  return c_config;
 }
 /** The C schedule and cancel functions for the credential reload config.
 * They populate a C credential reload arg with the result of a C++ credential
 * reload schedule/cancel API. **/
 int TlsCredentialReloadConfigCSchedule(void* /*config_user_data*/,
                                       grpc_tls_credential_reload_arg* arg) {
  if (arg == nullptr || arg->config == nullptr ||
      arg->config->context() == nullptr) {
    gpr_log(GPR_ERROR, "credential reload arg was not properly initialized");
    return 1;
  }
  TlsCredentialReloadConfig* cpp_config =
      static_cast<TlsCredentialReloadConfig*>(arg->config->context());
  TlsCredentialReloadArg* cpp_arg = new TlsCredentialReloadArg(arg);
  int schedule_result = cpp_config->Schedule(cpp_arg);
  return schedule_result;
 }
 void TlsCredentialReloadConfigCCancel(void* /*config_user_data*/,
                                      grpc_tls_credential_reload_arg* arg) {
  if (arg == nullptr || arg->config == nullptr ||
      arg->config->context() == nullptr) {
    gpr_log(GPR_ERROR, "credential reload arg was not properly initialized");
    return;
  }
  if (arg->context == nullptr) {
    gpr_log(GPR_ERROR, "credential reload arg schedule has already completed");
    return;
  }
  TlsCredentialReloadConfig* cpp_config =
      static_cast<TlsCredentialReloadConfig*>(arg->config->context());
  TlsCredentialReloadArg* cpp_arg =
      static_cast<TlsCredentialReloadArg*>(arg->context);
  cpp_config->Cancel(cpp_arg);
 }
 void TlsCredentialReloadArgDestroyContext(void* context) {
  if (context != nullptr) {
    TlsCredentialReloadArg* cpp_arg =
        static_cast<TlsCredentialReloadArg*>(context);
    delete cpp_arg;
  }
 }
 /** The C schedule and cancel functions for the server authorization check
 * config. They populate a C server authorization check arg with the result
 * of a C++ server authorization check schedule/cancel API. **/
--- a/src/cpp/common/tls_credentials_options_util.h
+++ b/src/cpp/common/tls_credentials_options_util.h
@ -27,29 +27,15 @@
 namespace grpc {
 namespace experimental {
-/** The following function is exposed for testing purposes. **/
+/** The following 2 functions convert the user-provided schedule or cancel
 grpc_tls_key_materials_config* ConvertToCKeyMaterialsConfig(
    const std::shared_ptr<TlsKeyMaterialsConfig>& config);
 /** The following 4 functions convert the user-provided schedule or cancel
 *  functions into C style schedule or cancel functions. These are internal
 *  functions, not meant to be accessed by the user. **/
 int TlsCredentialReloadConfigCSchedule(void* config_user_data,
                                       grpc_tls_credential_reload_arg* arg);
 void TlsCredentialReloadConfigCCancel(void* config_user_data,
                                      grpc_tls_credential_reload_arg* arg);
 int TlsServerAuthorizationCheckConfigCSchedule(
    void* config_user_data, grpc_tls_server_authorization_check_arg* arg);
 void TlsServerAuthorizationCheckConfigCCancel(
    void* config_user_data, grpc_tls_server_authorization_check_arg* arg);
 /** The following 2 functions cleanup data created in the above C schedule
 *  functions. **/
 void TlsCredentialReloadArgDestroyContext(void* context);
 void TlsServerAuthorizationCheckArgDestroyContext(void* context);
 }  //  namespace experimental
--- a/src/cpp/server/secure_server_credentials.cc
+++ b/src/cpp/server/secure_server_credentials.cc
@ -145,8 +145,7 @@ std::shared_ptr<ServerCredentials> LocalServerCredentials(
 }
 std::shared_ptr<ServerCredentials> TlsServerCredentials(
-    const grpc::experimental::TlsCredentialsOptions& options) {
+    const grpc::experimental::TlsServerCredentialsOptions& options) {
  grpc::GrpcLibraryCodegen init;
  return std::shared_ptr<ServerCredentials>(new SecureServerCredentials(
      grpc_tls_server_credentials_create(options.c_credentials_options())));
 }
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@ -488,6 +488,7 @@ CORE_SOURCE_FILES = [
    'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
    'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
    'src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc',
    'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc',
    'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
    'src/core/lib/security/credentials/tls/tls_credentials.cc',
    'src/core/lib/security/credentials/xds/xds_credentials.cc',
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.c
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
@ -158,18 +158,22 @@ grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
 grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
 grpc_local_credentials_create_type grpc_local_credentials_create_import;
 grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
 grpc_tls_identity_pairs_create_type grpc_tls_identity_pairs_create_import;
 grpc_tls_identity_pairs_add_pair_type grpc_tls_identity_pairs_add_pair_import;
 grpc_tls_identity_pairs_destroy_type grpc_tls_identity_pairs_destroy_import;
 grpc_tls_certificate_provider_static_data_create_type grpc_tls_certificate_provider_static_data_create_import;
 grpc_tls_certificate_provider_release_type grpc_tls_certificate_provider_release_import;
 grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
 grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
 grpc_tls_credentials_options_set_server_verification_option_type grpc_tls_credentials_options_set_server_verification_option_import;
-grpc_tls_credentials_options_set_key_materials_config_type grpc_tls_credentials_options_set_key_materials_config_import;
+grpc_tls_credentials_options_set_certificate_provider_type grpc_tls_credentials_options_set_certificate_provider_import;
-grpc_tls_credentials_options_set_credential_reload_config_type grpc_tls_credentials_options_set_credential_reload_config_import;
+grpc_tls_credentials_options_watch_root_certs_type grpc_tls_credentials_options_watch_root_certs_import;
 grpc_tls_credentials_options_set_root_cert_name_type grpc_tls_credentials_options_set_root_cert_name_import;
 grpc_tls_credentials_options_watch_identity_key_cert_pairs_type grpc_tls_credentials_options_watch_identity_key_cert_pairs_import;
 grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_options_set_identity_cert_name_import;
 grpc_tls_credentials_options_set_server_authorization_check_config_type grpc_tls_credentials_options_set_server_authorization_check_config_import;
 grpc_tls_key_materials_config_create_type grpc_tls_key_materials_config_create_import;
 grpc_tls_key_materials_config_set_key_materials_type grpc_tls_key_materials_config_set_key_materials_import;
 grpc_tls_key_materials_config_set_version_type grpc_tls_key_materials_config_set_version_import;
 grpc_tls_key_materials_config_get_version_type grpc_tls_key_materials_config_get_version_import;
 grpc_tls_credential_reload_config_create_type grpc_tls_credential_reload_config_create_import;
 grpc_tls_server_authorization_check_config_create_type grpc_tls_server_authorization_check_config_create_import;
 grpc_tls_server_authorization_check_config_release_type grpc_tls_server_authorization_check_config_release_import;
 grpc_xds_credentials_create_type grpc_xds_credentials_create_import;
 grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
 grpc_raw_compressed_byte_buffer_create_type grpc_raw_compressed_byte_buffer_create_import;
@ -432,18 +436,22 @@ void grpc_rb_load_imports(HMODULE library) {
  grpc_alts_server_credentials_create_import = (grpc_alts_server_credentials_create_type) GetProcAddress(library, "grpc_alts_server_credentials_create");
  grpc_local_credentials_create_import = (grpc_local_credentials_create_type) GetProcAddress(library, "grpc_local_credentials_create");
  grpc_local_server_credentials_create_import = (grpc_local_server_credentials_create_type) GetProcAddress(library, "grpc_local_server_credentials_create");
  grpc_tls_identity_pairs_create_import = (grpc_tls_identity_pairs_create_type) GetProcAddress(library, "grpc_tls_identity_pairs_create");
  grpc_tls_identity_pairs_add_pair_import = (grpc_tls_identity_pairs_add_pair_type) GetProcAddress(library, "grpc_tls_identity_pairs_add_pair");
  grpc_tls_identity_pairs_destroy_import = (grpc_tls_identity_pairs_destroy_type) GetProcAddress(library, "grpc_tls_identity_pairs_destroy");
  grpc_tls_certificate_provider_static_data_create_import = (grpc_tls_certificate_provider_static_data_create_type) GetProcAddress(library, "grpc_tls_certificate_provider_static_data_create");
  grpc_tls_certificate_provider_release_import = (grpc_tls_certificate_provider_release_type) GetProcAddress(library, "grpc_tls_certificate_provider_release");
  grpc_tls_credentials_options_create_import = (grpc_tls_credentials_options_create_type) GetProcAddress(library, "grpc_tls_credentials_options_create");
  grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
  grpc_tls_credentials_options_set_server_verification_option_import = (grpc_tls_credentials_options_set_server_verification_option_type) GetProcAddress(library, "grpc_tls_credentials_options_set_server_verification_option");
-  grpc_tls_credentials_options_set_key_materials_config_import = (grpc_tls_credentials_options_set_key_materials_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_key_materials_config");
+  grpc_tls_credentials_options_set_certificate_provider_import = (grpc_tls_credentials_options_set_certificate_provider_type) GetProcAddress(library, "grpc_tls_credentials_options_set_certificate_provider");
-  grpc_tls_credentials_options_set_credential_reload_config_import = (grpc_tls_credentials_options_set_credential_reload_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_credential_reload_config");
+  grpc_tls_credentials_options_watch_root_certs_import = (grpc_tls_credentials_options_watch_root_certs_type) GetProcAddress(library, "grpc_tls_credentials_options_watch_root_certs");
  grpc_tls_credentials_options_set_root_cert_name_import = (grpc_tls_credentials_options_set_root_cert_name_type) GetProcAddress(library, "grpc_tls_credentials_options_set_root_cert_name");
  grpc_tls_credentials_options_watch_identity_key_cert_pairs_import = (grpc_tls_credentials_options_watch_identity_key_cert_pairs_type) GetProcAddress(library, "grpc_tls_credentials_options_watch_identity_key_cert_pairs");
  grpc_tls_credentials_options_set_identity_cert_name_import = (grpc_tls_credentials_options_set_identity_cert_name_type) GetProcAddress(library, "grpc_tls_credentials_options_set_identity_cert_name");
  grpc_tls_credentials_options_set_server_authorization_check_config_import = (grpc_tls_credentials_options_set_server_authorization_check_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_server_authorization_check_config");
  grpc_tls_key_materials_config_create_import = (grpc_tls_key_materials_config_create_type) GetProcAddress(library, "grpc_tls_key_materials_config_create");
  grpc_tls_key_materials_config_set_key_materials_import = (grpc_tls_key_materials_config_set_key_materials_type) GetProcAddress(library, "grpc_tls_key_materials_config_set_key_materials");
  grpc_tls_key_materials_config_set_version_import = (grpc_tls_key_materials_config_set_version_type) GetProcAddress(library, "grpc_tls_key_materials_config_set_version");
  grpc_tls_key_materials_config_get_version_import = (grpc_tls_key_materials_config_get_version_type) GetProcAddress(library, "grpc_tls_key_materials_config_get_version");
  grpc_tls_credential_reload_config_create_import = (grpc_tls_credential_reload_config_create_type) GetProcAddress(library, "grpc_tls_credential_reload_config_create");
  grpc_tls_server_authorization_check_config_create_import = (grpc_tls_server_authorization_check_config_create_type) GetProcAddress(library, "grpc_tls_server_authorization_check_config_create");
  grpc_tls_server_authorization_check_config_release_import = (grpc_tls_server_authorization_check_config_release_type) GetProcAddress(library, "grpc_tls_server_authorization_check_config_release");
  grpc_xds_credentials_create_import = (grpc_xds_credentials_create_type) GetProcAddress(library, "grpc_xds_credentials_create");
  grpc_raw_byte_buffer_create_import = (grpc_raw_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_byte_buffer_create");
  grpc_raw_compressed_byte_buffer_create_import = (grpc_raw_compressed_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_compressed_byte_buffer_create");
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.h
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
@ -449,42 +449,54 @@ extern grpc_local_credentials_create_type grpc_local_credentials_create_import;
 typedef grpc_server_credentials*(*grpc_local_server_credentials_create_type)(grpc_local_connect_type type);
 extern grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
 #define grpc_local_server_credentials_create grpc_local_server_credentials_create_import
 typedef grpc_tls_identity_pairs*(*grpc_tls_identity_pairs_create_type)();
 extern grpc_tls_identity_pairs_create_type grpc_tls_identity_pairs_create_import;
 #define grpc_tls_identity_pairs_create grpc_tls_identity_pairs_create_import
 typedef void(*grpc_tls_identity_pairs_add_pair_type)(grpc_tls_identity_pairs* pairs, const char* private_key, const char* cert_chain);
 extern grpc_tls_identity_pairs_add_pair_type grpc_tls_identity_pairs_add_pair_import;
 #define grpc_tls_identity_pairs_add_pair grpc_tls_identity_pairs_add_pair_import
 typedef void(*grpc_tls_identity_pairs_destroy_type)(grpc_tls_identity_pairs* pairs);
 extern grpc_tls_identity_pairs_destroy_type grpc_tls_identity_pairs_destroy_import;
 #define grpc_tls_identity_pairs_destroy grpc_tls_identity_pairs_destroy_import
 typedef grpc_tls_certificate_provider*(*grpc_tls_certificate_provider_static_data_create_type)(const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs);
 extern grpc_tls_certificate_provider_static_data_create_type grpc_tls_certificate_provider_static_data_create_import;
 #define grpc_tls_certificate_provider_static_data_create grpc_tls_certificate_provider_static_data_create_import
 typedef void(*grpc_tls_certificate_provider_release_type)(grpc_tls_certificate_provider* provider);
 extern grpc_tls_certificate_provider_release_type grpc_tls_certificate_provider_release_import;
 #define grpc_tls_certificate_provider_release grpc_tls_certificate_provider_release_import
 typedef grpc_tls_credentials_options*(*grpc_tls_credentials_options_create_type)(void);
 extern grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
 #define grpc_tls_credentials_options_create grpc_tls_credentials_options_create_import
-typedef int(*grpc_tls_credentials_options_set_cert_request_type_type)(grpc_tls_credentials_options* options, grpc_ssl_client_certificate_request_type type);
+typedef void(*grpc_tls_credentials_options_set_cert_request_type_type)(grpc_tls_credentials_options* options, grpc_ssl_client_certificate_request_type type);
 extern grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
 #define grpc_tls_credentials_options_set_cert_request_type grpc_tls_credentials_options_set_cert_request_type_import
-typedef int(*grpc_tls_credentials_options_set_server_verification_option_type)(grpc_tls_credentials_options* options, grpc_tls_server_verification_option server_verification_option);
+typedef void(*grpc_tls_credentials_options_set_server_verification_option_type)(grpc_tls_credentials_options* options, grpc_tls_server_verification_option server_verification_option);
 extern grpc_tls_credentials_options_set_server_verification_option_type grpc_tls_credentials_options_set_server_verification_option_import;
 #define grpc_tls_credentials_options_set_server_verification_option grpc_tls_credentials_options_set_server_verification_option_import
-typedef int(*grpc_tls_credentials_options_set_key_materials_config_type)(grpc_tls_credentials_options* options, grpc_tls_key_materials_config* config);
+typedef void(*grpc_tls_credentials_options_set_certificate_provider_type)(grpc_tls_credentials_options* options, grpc_tls_certificate_provider* provider);
-extern grpc_tls_credentials_options_set_key_materials_config_type grpc_tls_credentials_options_set_key_materials_config_import;
+extern grpc_tls_credentials_options_set_certificate_provider_type grpc_tls_credentials_options_set_certificate_provider_import;
-#define grpc_tls_credentials_options_set_key_materials_config grpc_tls_credentials_options_set_key_materials_config_import
+#define grpc_tls_credentials_options_set_certificate_provider grpc_tls_credentials_options_set_certificate_provider_import
-typedef int(*grpc_tls_credentials_options_set_credential_reload_config_type)(grpc_tls_credentials_options* options, grpc_tls_credential_reload_config* config);
+typedef void(*grpc_tls_credentials_options_watch_root_certs_type)(grpc_tls_credentials_options* options);
-extern grpc_tls_credentials_options_set_credential_reload_config_type grpc_tls_credentials_options_set_credential_reload_config_import;
+extern grpc_tls_credentials_options_watch_root_certs_type grpc_tls_credentials_options_watch_root_certs_import;
-#define grpc_tls_credentials_options_set_credential_reload_config grpc_tls_credentials_options_set_credential_reload_config_import
+#define grpc_tls_credentials_options_watch_root_certs grpc_tls_credentials_options_watch_root_certs_import
-typedef int(*grpc_tls_credentials_options_set_server_authorization_check_config_type)(grpc_tls_credentials_options* options, grpc_tls_server_authorization_check_config* config);
+typedef void(*grpc_tls_credentials_options_set_root_cert_name_type)(grpc_tls_credentials_options* options, const char* root_cert_name);
 extern grpc_tls_credentials_options_set_root_cert_name_type grpc_tls_credentials_options_set_root_cert_name_import;
 #define grpc_tls_credentials_options_set_root_cert_name grpc_tls_credentials_options_set_root_cert_name_import
 typedef void(*grpc_tls_credentials_options_watch_identity_key_cert_pairs_type)(grpc_tls_credentials_options* options);
 extern grpc_tls_credentials_options_watch_identity_key_cert_pairs_type grpc_tls_credentials_options_watch_identity_key_cert_pairs_import;
 #define grpc_tls_credentials_options_watch_identity_key_cert_pairs grpc_tls_credentials_options_watch_identity_key_cert_pairs_import
 typedef void(*grpc_tls_credentials_options_set_identity_cert_name_type)(grpc_tls_credentials_options* options, const char* identity_cert_name);
 extern grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_options_set_identity_cert_name_import;
 #define grpc_tls_credentials_options_set_identity_cert_name grpc_tls_credentials_options_set_identity_cert_name_import
 typedef void(*grpc_tls_credentials_options_set_server_authorization_check_config_type)(grpc_tls_credentials_options* options, grpc_tls_server_authorization_check_config* config);
 extern grpc_tls_credentials_options_set_server_authorization_check_config_type grpc_tls_credentials_options_set_server_authorization_check_config_import;
 #define grpc_tls_credentials_options_set_server_authorization_check_config grpc_tls_credentials_options_set_server_authorization_check_config_import
 typedef grpc_tls_key_materials_config*(*grpc_tls_key_materials_config_create_type)(void);
 extern grpc_tls_key_materials_config_create_type grpc_tls_key_materials_config_create_import;
 #define grpc_tls_key_materials_config_create grpc_tls_key_materials_config_create_import
 typedef int(*grpc_tls_key_materials_config_set_key_materials_type)(grpc_tls_key_materials_config* config, const char* pem_root_certs, const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs, size_t num_key_cert_pairs);
 extern grpc_tls_key_materials_config_set_key_materials_type grpc_tls_key_materials_config_set_key_materials_import;
 #define grpc_tls_key_materials_config_set_key_materials grpc_tls_key_materials_config_set_key_materials_import
 typedef int(*grpc_tls_key_materials_config_set_version_type)(grpc_tls_key_materials_config* config, int version);
 extern grpc_tls_key_materials_config_set_version_type grpc_tls_key_materials_config_set_version_import;
 #define grpc_tls_key_materials_config_set_version grpc_tls_key_materials_config_set_version_import
 typedef int(*grpc_tls_key_materials_config_get_version_type)(grpc_tls_key_materials_config* config);
 extern grpc_tls_key_materials_config_get_version_type grpc_tls_key_materials_config_get_version_import;
 #define grpc_tls_key_materials_config_get_version grpc_tls_key_materials_config_get_version_import
 typedef grpc_tls_credential_reload_config*(*grpc_tls_credential_reload_config_create_type)(const void* config_user_data, int (*schedule)(void* config_user_data, grpc_tls_credential_reload_arg* arg), void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg), void (*destruct)(void* config_user_data));
 extern grpc_tls_credential_reload_config_create_type grpc_tls_credential_reload_config_create_import;
 #define grpc_tls_credential_reload_config_create grpc_tls_credential_reload_config_create_import
 typedef grpc_tls_server_authorization_check_config*(*grpc_tls_server_authorization_check_config_create_type)(const void* config_user_data, int (*schedule)(void* config_user_data, grpc_tls_server_authorization_check_arg* arg), void (*cancel)(void* config_user_data, grpc_tls_server_authorization_check_arg* arg), void (*destruct)(void* config_user_data));
 extern grpc_tls_server_authorization_check_config_create_type grpc_tls_server_authorization_check_config_create_import;
 #define grpc_tls_server_authorization_check_config_create grpc_tls_server_authorization_check_config_create_import
 typedef void(*grpc_tls_server_authorization_check_config_release_type)(grpc_tls_server_authorization_check_config* config);
 extern grpc_tls_server_authorization_check_config_release_type grpc_tls_server_authorization_check_config_release_import;
 #define grpc_tls_server_authorization_check_config_release grpc_tls_server_authorization_check_config_release_import
 typedef grpc_channel_credentials*(*grpc_xds_credentials_create_type)(grpc_channel_credentials* fallback_credentials);
 extern grpc_xds_credentials_create_type grpc_xds_credentials_create_import;
 #define grpc_xds_credentials_create grpc_xds_credentials_create_import
--- a/test/core/end2end/fixtures/h2_tls.cc
+++ b/test/core/end2end/fixtures/h2_tls.cc
@ -50,10 +50,14 @@ struct fullstack_secure_fixture_data {
    for (size_t ind = 0; ind < thd_list.size(); ind++) {
      thd_list[ind].Join();
    }
    grpc_tls_certificate_provider_release(client_provider);
    grpc_tls_certificate_provider_release(server_provider);
  }
  std::string localaddr;
  grpc_tls_version tls_version;
  ThreadList thd_list;
  grpc_tls_certificate_provider* client_provider = nullptr;
  grpc_tls_certificate_provider* server_provider = nullptr;
 };
 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack(
@ -65,9 +69,35 @@ static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack(
  memset(&f, 0, sizeof(f));
  ffd->localaddr = grpc_core::JoinHostPort("localhost", port);
  ffd->tls_version = tls_version;
  grpc_slice root_slice, cert_slice, key_slice;
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(CA_CERT_PATH, 1, &root_slice)));
  std::string root_cert =
      std::string(grpc_core::StringViewFromSlice(root_slice));
  GPR_ASSERT(GRPC_LOG_IF_ERROR(
      "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
  std::string identity_cert =
      std::string(grpc_core::StringViewFromSlice(cert_slice));
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
  std::string private_key =
      std::string(grpc_core::StringViewFromSlice(key_slice));
  grpc_tls_identity_pairs* client_pairs = grpc_tls_identity_pairs_create();
  grpc_tls_identity_pairs_add_pair(client_pairs, private_key.c_str(),
                                   identity_cert.c_str());
  ffd->client_provider = grpc_tls_certificate_provider_static_data_create(
      root_cert.c_str(), client_pairs);
  grpc_tls_identity_pairs* server_pairs = grpc_tls_identity_pairs_create();
  grpc_tls_identity_pairs_add_pair(server_pairs, private_key.c_str(),
                                   identity_cert.c_str());
  ffd->server_provider = grpc_tls_certificate_provider_static_data_create(
      root_cert.c_str(), server_pairs);
  f.fixture_data = ffd;
  f.cq = grpc_completion_queue_create_for_next(nullptr);
  f.shutdown_cq = grpc_completion_queue_create_for_pluck(nullptr);
  grpc_slice_unref(root_slice);
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  return f;
 }
@ -151,82 +181,6 @@ static int server_authz_check_async(
  return 1;
 }
 // Synchronous implementation of schedule field in
 // grpc_tls_credential_reload_config instance that is a part of client-side
 // grpc_tls_credentials_options instance.
 static int client_cred_reload_sync(void* /*config_user_data*/,
                                   grpc_tls_credential_reload_arg* arg) {
  if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
    arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
    return 0;
  }
  grpc_slice ca_slice, cert_slice, key_slice;
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR(
      "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
  const char* ca_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
  const char* server_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
  const char* server_key =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key, server_cert};
  if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
    const auto* pem_key_cert_pair_ptr = &pem_key_cert_pair;
    grpc_tls_key_materials_config_set_key_materials(
        arg->key_materials_config, ca_cert, &pem_key_cert_pair_ptr, 1);
  }
  // new credential has been reloaded.
  arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  grpc_slice_unref(ca_slice);
  return 0;
 }
 // Synchronous implementation of schedule field in
 // grpc_tls_credential_reload_config instance that is a part of server-side
 // grpc_tls_credentials_options instance.
 static int server_cred_reload_sync(void* /*config_user_data*/,
                                   grpc_tls_credential_reload_arg* arg) {
  if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
    arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
    return 0;
  }
  grpc_slice ca_slice, cert_slice, key_slice;
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR(
      "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
  const char* ca_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
  const char* server_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
  const char* server_key =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key, server_cert};
  GPR_ASSERT(arg != nullptr);
  GPR_ASSERT(arg->key_materials_config != nullptr);
  GPR_ASSERT(arg->key_materials_config->pem_key_cert_pair_list().data() !=
             nullptr);
  if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
    const auto* pem_key_cert_pair_ptr = &pem_key_cert_pair;
    grpc_tls_key_materials_config_set_key_materials(
        arg->key_materials_config, ca_cert, &pem_key_cert_pair_ptr, 1);
  }
  // new credential has been reloaded.
  arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  grpc_slice_unref(ca_slice);
  return 0;
 }
 // Create a TLS channel credential.
 static grpc_channel_credentials* create_tls_channel_credentials(
    fullstack_secure_fixture_data* ffd) {
@ -234,12 +188,11 @@ static grpc_channel_credentials* create_tls_channel_credentials(
  options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
  options->set_min_tls_version(ffd->tls_version);
  options->set_max_tls_version(ffd->tls_version);
-  /* Set credential reload config. */
+  // Set credential provider.
-  grpc_tls_credential_reload_config* reload_config =
+  grpc_tls_credentials_options_set_certificate_provider(options,
-      grpc_tls_credential_reload_config_create(nullptr, client_cred_reload_sync,
+                                                        ffd->client_provider);
-                                               nullptr, nullptr);
+  grpc_tls_credentials_options_watch_root_certs(options);
-  grpc_tls_credentials_options_set_credential_reload_config(options,
+  grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
                                                            reload_config);
  /* Set server authorization check config. */
  grpc_tls_server_authorization_check_config* check_config =
      grpc_tls_server_authorization_check_config_create(
@ -248,6 +201,7 @@ static grpc_channel_credentials* create_tls_channel_credentials(
      options, check_config);
  /* Create TLS channel credentials. */
  grpc_channel_credentials* creds = grpc_tls_credentials_create(options);
  grpc_tls_server_authorization_check_config_release(check_config);
  return creds;
 }
@ -257,12 +211,11 @@ static grpc_server_credentials* create_tls_server_credentials(
  grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
  options->set_min_tls_version(ffd->tls_version);
  options->set_max_tls_version(ffd->tls_version);
-  /* Set credential reload config. */
+  // Set credential provider.
-  grpc_tls_credential_reload_config* reload_config =
+  grpc_tls_credentials_options_set_certificate_provider(options,
-      grpc_tls_credential_reload_config_create(nullptr, server_cred_reload_sync,
+                                                        ffd->server_provider);
-                                               nullptr, nullptr);
+  grpc_tls_credentials_options_watch_root_certs(options);
-  grpc_tls_credentials_options_set_credential_reload_config(options,
+  grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
                                                            reload_config);
  /* Set client certificate request type. */
  grpc_tls_credentials_options_set_cert_request_type(
      options, GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
--- a/test/core/security/BUILD
+++ b/test/core/security/BUILD
@ -279,6 +279,10 @@ grpc_cc_test(
    srcs = ["tls_security_connector_test.cc"],
    data = [
        "//src/core/tsi/test_creds:ca.pem",
        "//src/core/tsi/test_creds:multi-domain.key",
        "//src/core/tsi/test_creds:multi-domain.pem",
        "//src/core/tsi/test_creds:server0.key",
        "//src/core/tsi/test_creds:server0.pem",
        "//src/core/tsi/test_creds:server1.key",
        "//src/core/tsi/test_creds:server1.pem",
    ],
--- a/test/core/security/grpc_tls_certificate_distributor_test.cc
+++ b/test/core/security/grpc_tls_certificate_distributor_test.cc
@ -53,8 +53,8 @@ class GrpcTlsCertificateDistributorTest : public ::testing::Test {
  // Forward declaration.
  class TlsCertificatesTestWatcher;
-  static grpc_tls_certificate_distributor::PemKeyCertPairList MakeCertKeyPairs(
+  static grpc_core::PemKeyCertPairList MakeCertKeyPairs(const char* private_key,
-      const char* private_key, const char* certs) {
+                                                        const char* certs) {
    if (strcmp(private_key, "") == 0 && strcmp(certs, "") == 0) {
      return {};
    }
@ -63,7 +63,7 @@ class GrpcTlsCertificateDistributorTest : public ::testing::Test {
            gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair)));
    ssl_pair->private_key = gpr_strdup(private_key);
    ssl_pair->cert_chain = gpr_strdup(certs);
-    grpc_tls_certificate_distributor::PemKeyCertPairList pem_key_cert_pairs;
+    grpc_core::PemKeyCertPairList pem_key_cert_pairs;
    pem_key_cert_pairs.emplace_back(ssl_pair);
    return pem_key_cert_pairs;
  }
@ -74,10 +74,8 @@ class GrpcTlsCertificateDistributorTest : public ::testing::Test {
  // if the status updates are correct.
  struct CredentialInfo {
    std::string root_certs;
-    grpc_tls_certificate_distributor::PemKeyCertPairList key_cert_pairs;
+    grpc_core::PemKeyCertPairList key_cert_pairs;
-    CredentialInfo(
+    CredentialInfo(std::string root, grpc_core::PemKeyCertPairList key_cert)
        std::string root,
        grpc_tls_certificate_distributor::PemKeyCertPairList key_cert)
        : root_certs(std::move(root)), key_cert_pairs(std::move(key_cert)) {}
    bool operator==(const CredentialInfo& other) const {
      return root_certs == other.root_certs &&
@ -130,13 +128,12 @@ class GrpcTlsCertificateDistributorTest : public ::testing::Test {
    void OnCertificatesChanged(
        absl::optional<absl::string_view> root_certs,
-        absl::optional<grpc_tls_certificate_distributor::PemKeyCertPairList>
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override {
            key_cert_pairs) override {
      std::string updated_root;
      if (root_certs.has_value()) {
        updated_root = std::string(*root_certs);
      }
-      grpc_tls_certificate_distributor::PemKeyCertPairList updated_identity;
+      grpc_core::PemKeyCertPairList updated_identity;
      if (key_cert_pairs.has_value()) {
        updated_identity = std::move(*key_cert_pairs);
      }
--- a/test/core/security/grpc_tls_credentials_options_test.cc
+++ b/test/core/security/grpc_tls_credentials_options_test.cc
@ -33,56 +33,6 @@
 namespace testing {
 static void SetKeyMaterials(grpc_tls_key_materials_config* config) {
  grpc_slice ca_slice, cert_slice, key_slice;
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR(
      "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
  const char* ca_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
  const char* server_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
  const char* server_key =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key, server_cert};
  const auto* pem_key_cert_pair_ptr = &pem_key_cert_pair;
  grpc_tls_key_materials_config_set_key_materials(config, ca_cert,
                                                  &pem_key_cert_pair_ptr, 1);
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  grpc_slice_unref(ca_slice);
 }
 TEST(GrpcTlsCredentialsOptionsTest, SetKeyMaterials) {
  grpc_tls_key_materials_config* config =
      grpc_tls_key_materials_config_create();
  SetKeyMaterials(config);
  grpc_slice ca_slice, cert_slice, key_slice;
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR(
      "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
  const char* ca_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
  const char* server_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
  const char* server_key =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
  EXPECT_STREQ(config->pem_root_certs(), ca_cert);
  EXPECT_EQ(config->pem_key_cert_pair_list().size(), 1);
  EXPECT_STREQ(config->pem_key_cert_pair_list()[0].private_key(), server_key);
  EXPECT_STREQ(config->pem_key_cert_pair_list()[0].cert_chain(), server_cert);
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  grpc_slice_unref(ca_slice);
  delete config;
 }
 TEST(GrpcTlsCredentialsOptionsTest, ErrorDetails) {
  grpc_tls_error_details error_details;
  EXPECT_STREQ(error_details.error_details().c_str(), "");
--- a/test/core/security/tls_security_connector_test.cc
+++ b/test/core/security/tls_security_connector_test.cc
@ -27,253 +27,282 @@
 #include <string.h>
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
 #include "src/core/tsi/transport_security.h"
 #include "test/core/util/test_config.h"
 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
-#define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
+#define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
-#define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
+#define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
-
+#define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
-namespace {
+#define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
-
+#define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
 enum CredReloadResult { FAIL, SUCCESS, UNCHANGED, ASYNC };
 void SetKeyMaterials(grpc_tls_key_materials_config* config) {
  grpc_slice ca_slice, cert_slice, key_slice;
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR(
      "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
                               grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
  const char* ca_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
  const char* server_cert =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
  const char* server_key =
      reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key, server_cert};
  const auto* pem_key_cert_pair_ptr = &pem_key_cert_pair;
  grpc_tls_key_materials_config_set_key_materials(config, ca_cert,
                                                  &pem_key_cert_pair_ptr, 1);
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  grpc_slice_unref(ca_slice);
 }
 int CredReloadSuccess(void* /*config_user_data*/,
                      grpc_tls_credential_reload_arg* arg) {
  SetKeyMaterials(arg->key_materials_config);
  arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
  return 0;
 }
 int CredReloadFail(void* /*config_user_data*/,
                   grpc_tls_credential_reload_arg* arg) {
  arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL;
  return 0;
 }
 int CredReloadUnchanged(void* /*config_user_data*/,
                        grpc_tls_credential_reload_arg* arg) {
  arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  return 0;
 }
 int CredReloadAsync(void* /*config_user_data*/,
                    grpc_tls_credential_reload_arg* /*arg*/) {
  return 1;
 }
 }  // namespace
 namespace grpc {
 namespace testing {
 constexpr const char* kRootCertName = "root_cert_name";
 constexpr const char* kIdentityCertName = "identity_cert_name";
 constexpr const char* kErrorMessage = "error_message";
 constexpr const char* kTargetName = "some_target";
 class TlsSecurityConnectorTest : public ::testing::Test {
 protected:
  TlsSecurityConnectorTest() {}
  void SetUp() override {
-    options_ = grpc_tls_credentials_options_create()->Ref();
+    grpc_slice ca_slice_1, ca_slice_0, cert_slice_1, key_slice_1, cert_slice_0,
-    config_ = grpc_tls_key_materials_config_create()->Ref();
+        key_slice_0;
-  }
+    GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
-  void TearDown() override { config_->Unref(); }
+                                 grpc_load_file(CA_CERT_PATH, 1, &ca_slice_1)));
-  // Set credential reload config in options.
+    GPR_ASSERT(GRPC_LOG_IF_ERROR(
-  void SetOptions(CredReloadResult type) {
+        "load_file", grpc_load_file(CLIENT_CERT_PATH, 1, &ca_slice_0)));
-    grpc_tls_credential_reload_config* reload_config = nullptr;
+    GPR_ASSERT(GRPC_LOG_IF_ERROR(
-    switch (type) {
+        "load_file", grpc_load_file(SERVER_CERT_PATH_1, 1, &cert_slice_1)));
-      case SUCCESS:
+    GPR_ASSERT(GRPC_LOG_IF_ERROR(
-        reload_config = grpc_tls_credential_reload_config_create(
+        "load_file", grpc_load_file(SERVER_KEY_PATH_1, 1, &key_slice_1)));
-            nullptr, CredReloadSuccess, nullptr, nullptr);
+    GPR_ASSERT(GRPC_LOG_IF_ERROR(
-        break;
+        "load_file", grpc_load_file(SERVER_CERT_PATH_0, 1, &cert_slice_0)));
-      case FAIL:
+    GPR_ASSERT(GRPC_LOG_IF_ERROR(
-        reload_config = grpc_tls_credential_reload_config_create(
+        "load_file", grpc_load_file(SERVER_KEY_PATH_0, 1, &key_slice_0)));
-            nullptr, CredReloadFail, nullptr, nullptr);
+    root_cert_1_ = std::string(grpc_core::StringViewFromSlice(ca_slice_1));
-        break;
+    root_cert_0_ = std::string(grpc_core::StringViewFromSlice(ca_slice_0));
-      case UNCHANGED:
+    std::string identity_key_1 =
-        reload_config = grpc_tls_credential_reload_config_create(
+        std::string(grpc_core::StringViewFromSlice(key_slice_1));
-            nullptr, CredReloadUnchanged, nullptr, nullptr);
+    std::string identity_key_0 =
-        break;
+        std::string(grpc_core::StringViewFromSlice(key_slice_0));
-      case ASYNC:
+    std::string identity_cert_1 =
-        reload_config = grpc_tls_credential_reload_config_create(
+        std::string(grpc_core::StringViewFromSlice(cert_slice_1));
-            nullptr, CredReloadAsync, nullptr, nullptr);
+    std::string identity_cert_0 =
-        break;
+        std::string(grpc_core::StringViewFromSlice(cert_slice_0));
-      default:
+    grpc_ssl_pem_key_cert_pair* ssl_pair_1 =
-        break;
+        static_cast<grpc_ssl_pem_key_cert_pair*>(
-    }
+            gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair)));
-    grpc_tls_credentials_options_set_credential_reload_config(options_.get(),
+    ssl_pair_1->private_key = gpr_strdup(identity_key_1.c_str());
-                                                              reload_config);
+    ssl_pair_1->cert_chain = gpr_strdup(identity_cert_1.c_str());
    identity_pairs_1_.emplace_back(ssl_pair_1);
    grpc_ssl_pem_key_cert_pair* ssl_pair_0 =
        static_cast<grpc_ssl_pem_key_cert_pair*>(
            gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair)));
    ssl_pair_0->private_key = gpr_strdup(identity_key_0.c_str());
    ssl_pair_0->cert_chain = gpr_strdup(identity_cert_0.c_str());
    identity_pairs_0_.emplace_back(ssl_pair_0);
    grpc_slice_unref(ca_slice_1);
    grpc_slice_unref(ca_slice_0);
    grpc_slice_unref(cert_slice_1);
    grpc_slice_unref(key_slice_1);
    grpc_slice_unref(cert_slice_0);
    grpc_slice_unref(key_slice_0);
  }
  // Set key materials config.
  void SetKeyMaterialsConfig() { SetKeyMaterials(config_.get()); }
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config_;
 };
-TEST_F(TlsSecurityConnectorTest, NoKeysAndConfig) {
+  void TearDown() override {}
  grpc_ssl_certificate_config_reload_status reload_status;
  grpc_status_code status =
      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
  EXPECT_EQ(status, GRPC_STATUS_FAILED_PRECONDITION);
  options_->Unref();
 }
-TEST_F(TlsSecurityConnectorTest, NoKeysAndConfigAsAClient) {
+  std::string root_cert_1_;
-  grpc_ssl_certificate_config_reload_status reload_status;
+  std::string root_cert_0_;
-  grpc_status_code status =
+  grpc_core::PemKeyCertPairList identity_pairs_1_;
-      TlsFetchKeyMaterials(config_, *options_, false, &reload_status);
+  grpc_core::PemKeyCertPairList identity_pairs_0_;
-  EXPECT_EQ(status, GRPC_STATUS_OK);
+};
  options_->Unref();
 }
 TEST_F(TlsSecurityConnectorTest, NoKeySuccessReload) {
  grpc_ssl_certificate_config_reload_status reload_status;
  SetOptions(SUCCESS);
  grpc_status_code status =
      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
  EXPECT_EQ(status, GRPC_STATUS_OK);
  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  options_->Unref();
 }
 TEST_F(TlsSecurityConnectorTest, NoKeyFailReload) {
  grpc_ssl_certificate_config_reload_status reload_status;
  SetOptions(FAIL);
  grpc_status_code status =
      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
  EXPECT_EQ(status, GRPC_STATUS_INTERNAL);
  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
  options_->Unref();
 }
 TEST_F(TlsSecurityConnectorTest, NoKeyAsyncReload) {
  grpc_ssl_certificate_config_reload_status reload_status =
      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  SetOptions(ASYNC);
  grpc_status_code status =
      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
  EXPECT_EQ(status, GRPC_STATUS_UNIMPLEMENTED);
  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED);
  options_->Unref();
 }
 TEST_F(TlsSecurityConnectorTest, NoKeyUnchangedReload) {
  grpc_ssl_certificate_config_reload_status reload_status =
      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  SetOptions(UNCHANGED);
  grpc_status_code status =
      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
  EXPECT_EQ(status, GRPC_STATUS_OK);
  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED);
  options_->Unref();
 }
-TEST_F(TlsSecurityConnectorTest, WithKeyNoReload) {
+class TlsTestCertificateProvider : public ::grpc_tls_certificate_provider {
-  grpc_ssl_certificate_config_reload_status reload_status =
+ public:
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  explicit TlsTestCertificateProvider(
-  SetKeyMaterialsConfig();
+      grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor)
-  grpc_status_code status =
+      : distributor_(std::move(distributor)) {}
-      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
+  ~TlsTestCertificateProvider() override {}
-  EXPECT_EQ(status, GRPC_STATUS_OK);
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
-  options_->Unref();
+      const override {
-}
+    return distributor_;
  }
-TEST_F(TlsSecurityConnectorTest, WithKeySuccessReload) {
+ private:
-  grpc_ssl_certificate_config_reload_status reload_status;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
-  SetOptions(SUCCESS);
+};
  SetKeyMaterialsConfig();
  grpc_status_code status =
      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
  EXPECT_EQ(status, GRPC_STATUS_OK);
  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  options_->Unref();
 }
-TEST_F(TlsSecurityConnectorTest, WithKeyFailReload) {
+// Tests for ChannelSecurityConnector.
-  grpc_ssl_certificate_config_reload_status reload_status;
+TEST_F(TlsSecurityConnectorTest,
-  SetOptions(FAIL);
+       RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
-  SetKeyMaterialsConfig();
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
-  grpc_status_code status =
+      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
-      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
+  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
-  EXPECT_EQ(status, GRPC_STATUS_OK);
+  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
-  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
+                               identity_pairs_0_);
-  options_->Unref();
+  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  options->set_certificate_provider(provider);
  options->set_watch_root_cert(true);
  options->set_watch_identity_pair(true);
  options->set_root_cert_name(kRootCertName);
  options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsCredentials> credential =
      grpc_core::MakeRefCounted<TlsCredentials>(options);
  grpc_channel_args* new_args = nullptr;
  grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
      credential->create_security_connector(nullptr, kTargetName, nullptr,
                                            &new_args);
  EXPECT_NE(connector, nullptr);
  grpc_core::TlsChannelSecurityConnector* tls_connector =
      static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_1_);
  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
  grpc_channel_args_destroy(new_args);
 }
-TEST_F(TlsSecurityConnectorTest, WithKeyAsyncReload) {
+// Note that on client side, we don't have tests watching identity certs only,
-  grpc_ssl_certificate_config_reload_status reload_status =
+// because in TLS, the trust certs should always be presented. If we don't
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+// provide, it will try to load certs from some default system locations, and
-  SetOptions(ASYNC);
+// will hence fail on some systems.
-  SetKeyMaterialsConfig();
+TEST_F(TlsSecurityConnectorTest,
-  grpc_status_code status =
+       RootCertsObtainedWhenCreateChannelSecurityConnector) {
-      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
-  EXPECT_EQ(status, GRPC_STATUS_OK);
+      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
-  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED);
+  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
-  options_->Unref();
+  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  // Create options only watching for root certificates.
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  root_options->set_certificate_provider(provider);
  root_options->set_watch_root_cert(true);
  root_options->set_root_cert_name(kRootCertName);
  grpc_core::RefCountedPtr<TlsCredentials> root_credential =
      grpc_core::MakeRefCounted<TlsCredentials>(root_options);
  grpc_channel_args* root_new_args = nullptr;
  grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
      root_credential->create_security_connector(nullptr, "some_target",
                                                 nullptr, &root_new_args);
  EXPECT_NE(root_connector, nullptr);
  grpc_core::TlsChannelSecurityConnector* tls_root_connector =
      static_cast<grpc_core::TlsChannelSecurityConnector*>(
          root_connector.get());
  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
  grpc_channel_args_destroy(root_new_args);
 }
-TEST_F(TlsSecurityConnectorTest, WithKeyUnchangedReload) {
+TEST_F(TlsSecurityConnectorTest,
-  grpc_ssl_certificate_config_reload_status reload_status =
+       CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
-  SetOptions(UNCHANGED);
+      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
-  SetKeyMaterialsConfig();
+  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
-  grpc_status_code status =
+  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
-      TlsFetchKeyMaterials(config_, *options_, true, &reload_status);
+      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
-  EXPECT_EQ(status, GRPC_STATUS_OK);
+  // Registered the options watching both certs, but only root certs are
-  EXPECT_EQ(reload_status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED);
+  // available at distributor right now.
-  options_->Unref();
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  options->set_certificate_provider(provider);
  options->set_watch_root_cert(true);
  options->set_watch_identity_pair(true);
  options->set_root_cert_name(kRootCertName);
  options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsCredentials> credential =
      grpc_core::MakeRefCounted<TlsCredentials>(options);
  grpc_channel_args* new_args = nullptr;
  grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
      credential->create_security_connector(nullptr, kTargetName, nullptr,
                                            &new_args);
  EXPECT_NE(connector, nullptr);
  grpc_core::TlsChannelSecurityConnector* tls_connector =
      static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
  // The client_handshaker_factory_ shouldn't be updated.
  EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  // After updating the root certs, the client_handshaker_factory_ should be
  // updated.
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  grpc_channel_args_destroy(new_args);
 }
-TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorSuccess) {
+TEST_F(TlsSecurityConnectorTest,
-  SetOptions(SUCCESS);
+       DistributorHasErrorForChannelSecurityConnector) {
-  auto cred = std::unique_ptr<grpc_channel_credentials>(
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
-      grpc_tls_credentials_create(options_.get()));
+      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
-  const char* target_name = "some_target";
+  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  options->set_certificate_provider(provider);
  options->set_watch_root_cert(true);
  options->set_watch_identity_pair(true);
  options->set_root_cert_name(kRootCertName);
  options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsCredentials> credential =
      grpc_core::MakeRefCounted<TlsCredentials>(options);
  grpc_channel_args* new_args = nullptr;
-  auto connector =
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
-      cred->create_security_connector(nullptr, target_name, nullptr, &new_args);
+      credential->create_security_connector(nullptr, kTargetName, nullptr,
                                            &new_args);
  EXPECT_NE(connector, nullptr);
  grpc_core::TlsChannelSecurityConnector* tls_connector =
      static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  // Calling SetErrorForCert on distributor shouldn't invalidate the previous
  // valid credentials.
  distributor->SetErrorForCert(
      kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
      absl::nullopt);
  distributor->SetErrorForCert(
      kIdentityCertName, absl::nullopt,
      GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  grpc_channel_args_destroy(new_args);
 }
 TEST_F(TlsSecurityConnectorTest,
       CreateChannelSecurityConnectorFailNoTargetName) {
-  SetOptions(SUCCESS);
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
-  auto cred = std::unique_ptr<grpc_channel_credentials>(
+      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
-      grpc_tls_credentials_create(options_.get()));
+  grpc_core::RefCountedPtr<TlsCredentials> credential =
      grpc_core::MakeRefCounted<TlsCredentials>(options);
  grpc_channel_args* new_args = nullptr;
  grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
      credential->create_security_connector(nullptr, nullptr, nullptr,
                                            &new_args);
  EXPECT_EQ(connector, nullptr);
 }
 TEST_F(TlsSecurityConnectorTest,
       CreateChannelSecurityConnectorFailNoCredentials) {
  auto connector =
-      cred->create_security_connector(nullptr, nullptr, nullptr, &new_args);
+      grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
          nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>(),
          nullptr, kTargetName, nullptr, nullptr);
  EXPECT_EQ(connector, nullptr);
 }
-TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailInit) {
+TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
-  SetOptions(FAIL);
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
-  auto cred = std::unique_ptr<grpc_channel_credentials>(
+      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
-      grpc_tls_credentials_create(options_.get()));
+  grpc_core::RefCountedPtr<TlsCredentials> credential =
-  grpc_channel_args* new_args = nullptr;
+      grpc_core::MakeRefCounted<TlsCredentials>(options);
  auto connector =
-      cred->create_security_connector(nullptr, nullptr, nullptr, &new_args);
+      grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
          credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
  EXPECT_EQ(connector, nullptr);
 }
@ -284,11 +313,10 @@ TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameSuccess) {
  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
                 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, target_name,
                 &peer.properties[0]) == TSI_OK);
-  grpc_error* error = grpc_core::TlsCheckHostName(target_name, &peer);
+  grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
  tsi_peer_destruct(&peer);
  EXPECT_EQ(error, GRPC_ERROR_NONE);
  GRPC_ERROR_UNREF(error);
  options_->Unref();
 }
 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameFail) {
@ -299,26 +327,176 @@ TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameFail) {
  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
                 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, another_name,
                 &peer.properties[0]) == TSI_OK);
-  grpc_error* error = grpc_core::TlsCheckHostName(target_name, &peer);
+  grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
  tsi_peer_destruct(&peer);
  EXPECT_NE(error, GRPC_ERROR_NONE);
  GRPC_ERROR_UNREF(error);
  options_->Unref();
 }
-TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorSuccess) {
+// Tests for ServerSecurityConnector.
-  SetOptions(SUCCESS);
+TEST_F(TlsSecurityConnectorTest,
-  auto cred = std::unique_ptr<grpc_server_credentials>(
+       RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
-      grpc_tls_server_credentials_create(options_.get()));
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
-  auto connector = cred->create_security_connector();
+      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  options->set_certificate_provider(provider);
  options->set_watch_root_cert(true);
  options->set_watch_identity_pair(true);
  options->set_root_cert_name(kRootCertName);
  options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsServerCredentials> credential =
      grpc_core::MakeRefCounted<TlsServerCredentials>(options);
  grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
      credential->create_security_connector();
  EXPECT_NE(connector, nullptr);
  grpc_core::TlsServerSecurityConnector* tls_connector =
      static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_1_);
  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
 }
 // Note that on server side, we don't have tests watching root certs only,
 // because in TLS, the identity certs should always be presented. If we don't
 // provide, it will try to load certs from some default system locations, and
 // will hence fail on some systems.
 TEST_F(TlsSecurityConnectorTest,
       IdentityCertsObtainedWhenCreateServerSecurityConnector) {
  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  // Create options only watching for identity certificates.
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> identity_options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  identity_options->set_certificate_provider(provider);
  identity_options->set_watch_identity_pair(true);
  identity_options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsServerCredentials> identity_credential =
      grpc_core::MakeRefCounted<TlsServerCredentials>(identity_options);
  grpc_core::RefCountedPtr<grpc_server_security_connector> identity_connector =
      identity_credential->create_security_connector();
  EXPECT_NE(identity_connector, nullptr);
  grpc_core::TlsServerSecurityConnector* tls_identity_connector =
      static_cast<grpc_core::TlsServerSecurityConnector*>(
          identity_connector.get());
  EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
            nullptr);
  EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
            identity_pairs_0_);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_1_);
  EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
            nullptr);
  EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
            identity_pairs_1_);
 }
 TEST_F(TlsSecurityConnectorTest,
       CertPartiallyObtainedWhenCreateServerSecurityConnector) {
  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  // Registered the options watching both certs, but only root certs are
  // available at distributor right now.
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  options->set_certificate_provider(provider);
  options->set_watch_root_cert(true);
  options->set_watch_identity_pair(true);
  options->set_root_cert_name(kRootCertName);
  options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsServerCredentials> credential =
      grpc_core::MakeRefCounted<TlsServerCredentials>(options);
  grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
      credential->create_security_connector();
  EXPECT_NE(connector, nullptr);
  grpc_core::TlsServerSecurityConnector* tls_connector =
      static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
  // The server_handshaker_factory_ shouldn't be updated.
  EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  // After updating the root certs, the server_handshaker_factory_ should be
  // updated.
  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
 }
 TEST_F(TlsSecurityConnectorTest,
       DistributorHasErrorForServerSecurityConnector) {
  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
                               identity_pairs_0_);
  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
  options->set_certificate_provider(provider);
  options->set_watch_root_cert(true);
  options->set_watch_identity_pair(true);
  options->set_root_cert_name(kRootCertName);
  options->set_identity_cert_name(kIdentityCertName);
  grpc_core::RefCountedPtr<TlsServerCredentials> credential =
      grpc_core::MakeRefCounted<TlsServerCredentials>(options);
  grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
      credential->create_security_connector();
  EXPECT_NE(connector, nullptr);
  grpc_core::TlsServerSecurityConnector* tls_connector =
      static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
  // Calling SetErrorForCert on distributor shouldn't invalidate the previous
  // valid credentials.
  distributor->SetErrorForCert(
      kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
      absl::nullopt);
  distributor->SetErrorForCert(
      kIdentityCertName, absl::nullopt,
      GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
 }
 TEST_F(TlsSecurityConnectorTest,
       CreateServerSecurityConnectorFailNoCredentials) {
  auto connector =
      grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
          nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>());
  EXPECT_EQ(connector, nullptr);
 }
-TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailInit) {
+TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
-  SetOptions(FAIL);
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
-  auto cred = std::unique_ptr<grpc_server_credentials>(
+      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
-      grpc_tls_server_credentials_create(options_.get()));
+  grpc_core::RefCountedPtr<TlsServerCredentials> credential =
-  auto connector = cred->create_security_connector();
+      grpc_core::MakeRefCounted<TlsServerCredentials>(options);
  auto connector =
      grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
          credential, nullptr);
  EXPECT_EQ(connector, nullptr);
 }
--- a/test/core/surface/public_headers_must_be_c89.c
+++ b/test/core/surface/public_headers_must_be_c89.c
@ -202,18 +202,22 @@ int main(int argc, char **argv) {
  printf("%lx", (unsigned long) grpc_alts_server_credentials_create);
  printf("%lx", (unsigned long) grpc_local_credentials_create);
  printf("%lx", (unsigned long) grpc_local_server_credentials_create);
  printf("%lx", (unsigned long) grpc_tls_identity_pairs_create);
  printf("%lx", (unsigned long) grpc_tls_identity_pairs_add_pair);
  printf("%lx", (unsigned long) grpc_tls_identity_pairs_destroy);
  printf("%lx", (unsigned long) grpc_tls_certificate_provider_static_data_create);
  printf("%lx", (unsigned long) grpc_tls_certificate_provider_release);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_create);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_cert_request_type);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_server_verification_option);
-  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_key_materials_config);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_certificate_provider);
-  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_credential_reload_config);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_watch_root_certs);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_root_cert_name);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_watch_identity_key_cert_pairs);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_identity_cert_name);
  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_server_authorization_check_config);
  printf("%lx", (unsigned long) grpc_tls_key_materials_config_create);
  printf("%lx", (unsigned long) grpc_tls_key_materials_config_set_key_materials);
  printf("%lx", (unsigned long) grpc_tls_key_materials_config_set_version);
  printf("%lx", (unsigned long) grpc_tls_key_materials_config_get_version);
  printf("%lx", (unsigned long) grpc_tls_credential_reload_config_create);
  printf("%lx", (unsigned long) grpc_tls_server_authorization_check_config_create);
  printf("%lx", (unsigned long) grpc_tls_server_authorization_check_config_release);
  printf("%lx", (unsigned long) grpc_xds_credentials_create);
  printf("%lx", (unsigned long) grpc_raw_byte_buffer_create);
  printf("%lx", (unsigned long) grpc_raw_compressed_byte_buffer_create);
--- a/test/cpp/client/credentials_test.cc
+++ b/test/cpp/client/credentials_test.cc
@ -18,6 +18,7 @@
 #include <gmock/gmock.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpcpp/security/credentials.h>
 #include <grpcpp/security/server_credentials.h>
 #include <grpcpp/security/tls_credentials_options.h>
@ -28,45 +29,21 @@
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/tmpfile.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/cpp/common/tls_credentials_options_util.h"
 namespace {
-typedef class ::grpc::experimental::TlsKeyMaterialsConfig TlsKeyMaterialsConfig;
+constexpr const char* kRootCertName = "root_cert_name";
-typedef class ::grpc::experimental::TlsCredentialReloadArg
+constexpr const char* kRootCertContents = "root_cert_contents";
-    TlsCredentialReloadArg;
+constexpr const char* kIdentityCertName = "identity_cert_name";
-typedef struct ::grpc::experimental::TlsCredentialReloadInterface
+constexpr const char* kIdentityCertPrivateKey = "identity_private_key";
-    TlsCredentialReloadInterface;
+constexpr const char* kIdentityCertContents = "identity_cert_contents";
 typedef class ::grpc::experimental::TlsServerAuthorizationCheckArg
    TlsServerAuthorizationCheckArg;
 typedef struct ::grpc::experimental::TlsServerAuthorizationCheckInterface
    TlsServerAuthorizationCheckInterface;
 static void tls_credential_reload_callback(
    grpc_tls_credential_reload_arg* arg) {
  GPR_ASSERT(arg != nullptr);
  arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
 }
-class TestTlsCredentialReload : public TlsCredentialReloadInterface {
+using ::grpc::experimental::StaticDataCertificateProvider;
-  int Schedule(TlsCredentialReloadArg* arg) override {
+using ::grpc::experimental::TlsServerAuthorizationCheckArg;
-    GPR_ASSERT(arg != nullptr);
+using ::grpc::experimental::TlsServerAuthorizationCheckConfig;
-    TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key3",
+using ::grpc::experimental::TlsServerAuthorizationCheckInterface;
                                                  "cert_chain3"};
    arg->set_pem_root_certs("new_pem_root_certs");
    arg->add_pem_key_cert_pair(pair);
    arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
    return 0;
  }
  void Cancel(TlsCredentialReloadArg* arg) override {
    GPR_ASSERT(arg != nullptr);
    arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
    arg->set_error_details("cancelled");
  }
 };
 static void tls_server_authorization_check_callback(
    grpc_tls_server_authorization_check_arg* arg) {
@ -104,21 +81,18 @@ class TestTlsServerAuthorizationCheck
 namespace grpc {
 namespace testing {
 namespace {
-class CredentialsTest : public ::testing::Test {
+TEST(CredentialsTest, InvalidGoogleRefreshToken) {
 protected:
 };
 TEST_F(CredentialsTest, InvalidGoogleRefreshToken) {
  std::shared_ptr<CallCredentials> bad1 = GoogleRefreshTokenCredentials("");
  EXPECT_EQ(static_cast<CallCredentials*>(nullptr), bad1.get());
 }
-TEST_F(CredentialsTest, DefaultCredentials) {
+TEST(CredentialsTest, DefaultCredentials) {
  auto creds = GoogleDefaultCredentials();
 }
-TEST_F(CredentialsTest, StsCredentialsOptionsCppToCore) {
+TEST(CredentialsTest, StsCredentialsOptionsCppToCore) {
  grpc::experimental::StsCredentialsOptions options;
  options.token_exchange_service_uri = "https://foo.com/exchange";
  options.resource = "resource";
@ -143,7 +117,7 @@ TEST_F(CredentialsTest, StsCredentialsOptionsCppToCore) {
  EXPECT_EQ(options.actor_token_type, core_opts.actor_token_type);
 }
-TEST_F(CredentialsTest, StsCredentialsOptionsJson) {
+TEST(CredentialsTest, StsCredentialsOptionsJson) {
  const char valid_json[] = R"(
  {
    "token_exchange_service_uri": "https://foo/exchange",
@ -231,7 +205,7 @@ TEST_F(CredentialsTest, StsCredentialsOptionsJson) {
              ::testing::HasSubstr("token_exchange_service_uri"));
 }
-TEST_F(CredentialsTest, StsCredentialsOptionsFromEnv) {
+TEST(CredentialsTest, StsCredentialsOptionsFromEnv) {
  // Unset env and check expected failure.
  gpr_unsetenv("STS_CREDENTIALS");
  grpc::experimental::StsCredentialsOptions options;
@ -270,173 +244,7 @@ TEST_F(CredentialsTest, StsCredentialsOptionsFromEnv) {
  gpr_unsetenv("STS_CREDENTIALS");
 }
-typedef class ::grpc::experimental::TlsKeyMaterialsConfig TlsKeyMaterialsConfig;
+TEST(CredentialsTest, TlsServerAuthorizationCheckArgCallback) {
 TEST_F(CredentialsTest, TlsKeyMaterialsConfigCppToC) {
  std::shared_ptr<TlsKeyMaterialsConfig> config(new TlsKeyMaterialsConfig());
  struct TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key",
                                                       "cert_chain"};
  std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pair_list = {pair};
  config->set_key_materials("pem_root_certs", pair_list);
  grpc_tls_key_materials_config* c_config =
      ConvertToCKeyMaterialsConfig(config);
  EXPECT_STREQ("pem_root_certs", c_config->pem_root_certs());
  EXPECT_EQ(1, static_cast<int>(c_config->pem_key_cert_pair_list().size()));
  EXPECT_STREQ(pair.private_key.c_str(),
               c_config->pem_key_cert_pair_list()[0].private_key());
  EXPECT_STREQ(pair.cert_chain.c_str(),
               c_config->pem_key_cert_pair_list()[0].cert_chain());
  delete c_config;
 }
 TEST_F(CredentialsTest, TlsKeyMaterialsModifiers) {
  std::shared_ptr<TlsKeyMaterialsConfig> config(new TlsKeyMaterialsConfig());
  TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key", "cert_chain"};
  config->add_pem_key_cert_pair(pair);
  config->set_pem_root_certs("pem_root_certs");
  EXPECT_STREQ(config->pem_root_certs().c_str(), "pem_root_certs");
  std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> list =
      config->pem_key_cert_pair_list();
  EXPECT_EQ(static_cast<int>(list.size()), 1);
  EXPECT_STREQ(list[0].private_key.c_str(), "private_key");
  EXPECT_STREQ(list[0].cert_chain.c_str(), "cert_chain");
 }
 typedef class ::grpc::experimental::TlsCredentialReloadArg
    TlsCredentialReloadArg;
 typedef class ::grpc::experimental::TlsCredentialReloadConfig
    TlsCredentialReloadConfig;
 TEST_F(CredentialsTest, TlsCredentialReloadArgCallback) {
  grpc_tls_credential_reload_arg* c_arg = new grpc_tls_credential_reload_arg;
  c_arg->key_materials_config = grpc_tls_key_materials_config_create();
  c_arg->cb = tls_credential_reload_callback;
  c_arg->context = nullptr;
  TlsCredentialReloadArg* arg = new TlsCredentialReloadArg(c_arg);
  arg->set_pem_root_certs("pem_root_certs");
  TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key", "cert_chain"};
  arg->add_pem_key_cert_pair(pair);
  arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  arg->OnCredentialReloadDoneCallback();
  EXPECT_EQ(arg->status(), GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED);
  EXPECT_STREQ(c_arg->key_materials_config->pem_root_certs(), "pem_root_certs");
  EXPECT_EQ(c_arg->key_materials_config->pem_key_cert_pair_list().size(), 1);
  EXPECT_STREQ(
      c_arg->key_materials_config->pem_key_cert_pair_list()[0].private_key(),
      "private_key");
  EXPECT_STREQ(
      c_arg->key_materials_config->pem_key_cert_pair_list()[0].cert_chain(),
      "cert_chain");
  // Cleanup.
  delete arg;
  delete c_arg->key_materials_config;
  delete c_arg;
 }
 TEST_F(CredentialsTest, TlsCredentialReloadConfigSchedule) {
  std::shared_ptr<TestTlsCredentialReload> test_credential_reload(
      new TestTlsCredentialReload());
  std::shared_ptr<TlsCredentialReloadConfig> config(
      new TlsCredentialReloadConfig(test_credential_reload));
  grpc_tls_credential_reload_arg* c_arg = new grpc_tls_credential_reload_arg();
  c_arg->error_details = new grpc_tls_error_details();
  c_arg->context = nullptr;
  TlsCredentialReloadArg* arg = new TlsCredentialReloadArg(c_arg);
  struct TlsKeyMaterialsConfig::PemKeyCertPair pair1 = {"private_key1",
                                                        "cert_chain1"};
  struct TlsKeyMaterialsConfig::PemKeyCertPair pair2 = {"private_key2",
                                                        "cert_chain2"};
  std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pair_list = {pair1, pair2};
  arg->set_key_materials("pem_root_certs", pair_list);
  arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  arg->set_error_details("error_details");
  int schedule_output = config->Schedule(arg);
  EXPECT_EQ(schedule_output, 0);
  EXPECT_STREQ(c_arg->key_materials_config->pem_root_certs(),
               "new_pem_root_certs");
  grpc_tls_key_materials_config::PemKeyCertPairList c_pair_list =
      c_arg->key_materials_config->pem_key_cert_pair_list();
  EXPECT_TRUE(!arg->is_pem_key_cert_pair_list_empty());
  EXPECT_EQ(static_cast<int>(c_pair_list.size()), 3);
  EXPECT_STREQ(c_pair_list[0].private_key(), "private_key1");
  EXPECT_STREQ(c_pair_list[0].cert_chain(), "cert_chain1");
  EXPECT_STREQ(c_pair_list[1].private_key(), "private_key2");
  EXPECT_STREQ(c_pair_list[1].cert_chain(), "cert_chain2");
  EXPECT_STREQ(c_pair_list[2].private_key(), "private_key3");
  EXPECT_STREQ(c_pair_list[2].cert_chain(), "cert_chain3");
  EXPECT_EQ(arg->status(), GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  EXPECT_STREQ(arg->error_details().c_str(), "error_details");
  // Cleanup.
  delete c_arg->key_materials_config;
  if (c_arg->destroy_context != nullptr) {
    c_arg->destroy_context(c_arg->context);
  }
  delete c_arg->error_details;
  delete c_arg;
  delete config->c_config();
 }
 TEST_F(CredentialsTest, TlsCredentialReloadConfigCppToC) {
  std::shared_ptr<TestTlsCredentialReload> test_credential_reload(
      new TestTlsCredentialReload());
  TlsCredentialReloadConfig config(test_credential_reload);
  grpc_tls_credential_reload_arg c_arg;
  c_arg.error_details = new grpc_tls_error_details();
  c_arg.context = nullptr;
  c_arg.cb_user_data = static_cast<void*>(nullptr);
  grpc_tls_key_materials_config c_key_materials;
  std::string test_private_key = "private_key";
  std::string test_cert_chain = "cert_chain";
  grpc_ssl_pem_key_cert_pair* ssl_pair =
      (grpc_ssl_pem_key_cert_pair*)gpr_malloc(
          sizeof(grpc_ssl_pem_key_cert_pair));
  ssl_pair->private_key = gpr_strdup(test_private_key.c_str());
  ssl_pair->cert_chain = gpr_strdup(test_cert_chain.c_str());
  ::grpc_core::PemKeyCertPair pem_key_cert_pair =
      ::grpc_core::PemKeyCertPair(ssl_pair);
  ::absl::InlinedVector<::grpc_core::PemKeyCertPair, 1> pem_key_cert_pair_list;
  pem_key_cert_pair_list.push_back(pem_key_cert_pair);
  std::string test_pem_root_certs = "pem_root_certs";
  c_key_materials.set_key_materials(test_pem_root_certs.c_str(),
                                    pem_key_cert_pair_list);
  c_arg.key_materials_config = &c_key_materials;
  c_arg.status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  std::string test_error_details = "error_details";
  c_arg.error_details->set_error_details(test_error_details.c_str());
  grpc_tls_credential_reload_config* c_config = config.c_config();
  c_arg.config = c_config;
  int c_schedule_output = c_config->Schedule(&c_arg);
  EXPECT_EQ(c_schedule_output, 0);
  EXPECT_EQ(c_arg.cb_user_data, nullptr);
  EXPECT_STREQ(c_arg.key_materials_config->pem_root_certs(),
               "new_pem_root_certs");
  ::absl::InlinedVector<::grpc_core::PemKeyCertPair, 1> pair_list =
      c_arg.key_materials_config->pem_key_cert_pair_list();
  EXPECT_EQ(static_cast<int>(pair_list.size()), 2);
  EXPECT_STREQ(pair_list[0].private_key(), "private_key");
  EXPECT_STREQ(pair_list[0].cert_chain(), "cert_chain");
  EXPECT_STREQ(pair_list[1].private_key(), "private_key3");
  EXPECT_STREQ(pair_list[1].cert_chain(), "cert_chain3");
  EXPECT_EQ(c_arg.status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  EXPECT_STREQ(c_arg.error_details->error_details().c_str(),
               test_error_details.c_str());
  // Cleanup.
  c_arg.destroy_context(c_arg.context);
  delete c_arg.error_details;
  delete config.c_config();
 }
 typedef class ::grpc::experimental::TlsServerAuthorizationCheckArg
    TlsServerAuthorizationCheckArg;
 typedef class ::grpc::experimental::TlsServerAuthorizationCheckConfig
    TlsServerAuthorizationCheckConfig;
 TEST_F(CredentialsTest, TlsServerAuthorizationCheckArgCallback) {
  grpc_tls_server_authorization_check_arg* c_arg =
      new grpc_tls_server_authorization_check_arg;
  c_arg->cb = tls_server_authorization_check_callback;
@ -472,7 +280,7 @@ TEST_F(CredentialsTest, TlsServerAuthorizationCheckArgCallback) {
  delete c_arg;
 }
-TEST_F(CredentialsTest, TlsServerAuthorizationCheckConfigSchedule) {
+TEST(CredentialsTest, TlsServerAuthorizationCheckConfigSchedule) {
  std::shared_ptr<TestTlsServerAuthorizationCheck>
      test_server_authorization_check(new TestTlsServerAuthorizationCheck());
  TlsServerAuthorizationCheckConfig config(test_server_authorization_check);
@ -511,10 +319,9 @@ TEST_F(CredentialsTest, TlsServerAuthorizationCheckConfigSchedule) {
    c_arg->destroy_context(c_arg->context);
  }
  delete c_arg;
  delete config.c_config();
 }
-TEST_F(CredentialsTest, TlsServerAuthorizationCheckConfigCppToC) {
+TEST(CredentialsTest, TlsServerAuthorizationCheckConfigCppToC) {
  std::shared_ptr<TestTlsServerAuthorizationCheck>
      test_server_authorization_check(new TestTlsServerAuthorizationCheck());
  TlsServerAuthorizationCheckConfig config(test_server_authorization_check);
@ -545,174 +352,62 @@ TEST_F(CredentialsTest, TlsServerAuthorizationCheckConfigCppToC) {
  delete c_arg.error_details;
  gpr_free(const_cast<char*>(c_arg.target_name));
  gpr_free(const_cast<char*>(c_arg.peer_cert));
  delete config.c_config();
 }
 typedef class ::grpc::experimental::TlsCredentialsOptions TlsCredentialsOptions;
 TEST_F(CredentialsTest, TlsCredentialsOptionsCppToC) {
  std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config(
      new TlsKeyMaterialsConfig());
  struct TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key",
                                                       "cert_chain"};
  std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pair_list = {pair};
  key_materials_config->set_key_materials("pem_root_certs", pair_list);
  std::shared_ptr<TestTlsCredentialReload> test_credential_reload(
      new TestTlsCredentialReload());
  std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config(
      new TlsCredentialReloadConfig(test_credential_reload));
  std::shared_ptr<TestTlsServerAuthorizationCheck>
      test_server_authorization_check(new TestTlsServerAuthorizationCheck());
  std::shared_ptr<TlsServerAuthorizationCheckConfig>
      server_authorization_check_config(new TlsServerAuthorizationCheckConfig(
          test_server_authorization_check));
  TlsCredentialsOptions options = TlsCredentialsOptions(
      GRPC_TLS_SERVER_VERIFICATION, key_materials_config,
      credential_reload_config, server_authorization_check_config);
  grpc_tls_credentials_options* c_options = options.c_credentials_options();
  EXPECT_EQ(c_options->cert_request_type(),
            GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
  EXPECT_EQ(c_options->server_verification_option(),
            GRPC_TLS_SERVER_VERIFICATION);
  grpc_tls_key_materials_config* c_key_materials_config =
      c_options->key_materials_config();
  grpc_tls_credential_reload_config* c_credential_reload_config =
      c_options->credential_reload_config();
  grpc_tls_credential_reload_arg c_credential_reload_arg;
  c_credential_reload_arg.cb_user_data = nullptr;
  c_credential_reload_arg.key_materials_config =
      c_options->key_materials_config();
  c_credential_reload_arg.status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
  std::string test_error_details = "error_details";
  c_credential_reload_arg.error_details = new grpc_tls_error_details();
  c_credential_reload_arg.error_details->set_error_details(
      test_error_details.c_str());
  c_credential_reload_arg.context = nullptr;
  grpc_tls_server_authorization_check_config*
      c_server_authorization_check_config =
          c_options->server_authorization_check_config();
  grpc_tls_server_authorization_check_arg c_server_authorization_check_arg;
  c_server_authorization_check_arg.cb = tls_server_authorization_check_callback;
  c_server_authorization_check_arg.cb_user_data = nullptr;
  c_server_authorization_check_arg.success = 0;
  c_server_authorization_check_arg.target_name = "target_name";
  c_server_authorization_check_arg.peer_cert = "peer_cert";
  c_server_authorization_check_arg.status = GRPC_STATUS_UNAUTHENTICATED;
  c_server_authorization_check_arg.error_details = new grpc_tls_error_details();
  c_server_authorization_check_arg.error_details->set_error_details(
      "error_details");
  c_server_authorization_check_arg.context = nullptr;
  EXPECT_STREQ(c_key_materials_config->pem_root_certs(), "pem_root_certs");
  EXPECT_EQ(
      static_cast<int>(c_key_materials_config->pem_key_cert_pair_list().size()),
      1);
  EXPECT_STREQ(
      c_key_materials_config->pem_key_cert_pair_list()[0].private_key(),
      "private_key");
  EXPECT_STREQ(c_key_materials_config->pem_key_cert_pair_list()[0].cert_chain(),
               "cert_chain");
  GPR_ASSERT(c_credential_reload_config != nullptr);
  int c_credential_reload_schedule_output =
      c_credential_reload_config->Schedule(&c_credential_reload_arg);
  EXPECT_EQ(c_credential_reload_schedule_output, 0);
  EXPECT_EQ(c_credential_reload_arg.cb_user_data, nullptr);
  EXPECT_STREQ(c_credential_reload_arg.key_materials_config->pem_root_certs(),
               "new_pem_root_certs");
  ::absl::InlinedVector<::grpc_core::PemKeyCertPair, 1> c_pair_list =
      c_credential_reload_arg.key_materials_config->pem_key_cert_pair_list();
  EXPECT_EQ(static_cast<int>(c_pair_list.size()), 2);
  EXPECT_STREQ(c_pair_list[0].private_key(), "private_key");
  EXPECT_STREQ(c_pair_list[0].cert_chain(), "cert_chain");
  EXPECT_STREQ(c_pair_list[1].private_key(), "private_key3");
  EXPECT_STREQ(c_pair_list[1].cert_chain(), "cert_chain3");
  EXPECT_EQ(c_credential_reload_arg.status,
            GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW);
  EXPECT_STREQ(c_credential_reload_arg.error_details->error_details().c_str(),
               test_error_details.c_str());
  int c_server_authorization_check_schedule_output =
      c_server_authorization_check_config->Schedule(
          &c_server_authorization_check_arg);
  EXPECT_EQ(c_server_authorization_check_schedule_output, 1);
  EXPECT_STREQ(
      static_cast<char*>(c_server_authorization_check_arg.cb_user_data),
      "cb_user_data");
  EXPECT_EQ(c_server_authorization_check_arg.success, 1);
  EXPECT_STREQ(c_server_authorization_check_arg.target_name,
               "sync_target_name");
  EXPECT_STREQ(c_server_authorization_check_arg.peer_cert, "sync_peer_cert");
  EXPECT_EQ(c_server_authorization_check_arg.status, GRPC_STATUS_OK);
  EXPECT_STREQ(
      c_server_authorization_check_arg.error_details->error_details().c_str(),
      "sync_error_details");
  // Cleanup.
  c_credential_reload_arg.destroy_context(c_credential_reload_arg.context);
  delete c_credential_reload_arg.error_details;
  c_server_authorization_check_arg.destroy_context(
      c_server_authorization_check_arg.context);
  gpr_free(c_server_authorization_check_arg.cb_user_data);
  gpr_free(const_cast<char*>(c_server_authorization_check_arg.target_name));
  gpr_free(const_cast<char*>(c_server_authorization_check_arg.peer_cert));
  delete c_server_authorization_check_arg.error_details;
  delete c_options;
 }
-// This test demonstrates how the TLS credentials will be used.
+TEST(
-TEST_F(CredentialsTest, LoadTlsChannelCredentials) {
+    CredentialsTest,
-  std::shared_ptr<TestTlsCredentialReload> test_credential_reload(
+    TlsChannelCredentialsWithStaticDataCertificateProviderLoadingRootAndIdentity) {
-      new TestTlsCredentialReload());
+  experimental::IdentityKeyCertPair key_cert_pair;
-  std::shared_ptr<TlsCredentialReloadConfig> credential_reload_config(
+  key_cert_pair.private_key = kIdentityCertPrivateKey;
-      new TlsCredentialReloadConfig(test_credential_reload));
+  key_cert_pair.certificate_chain = kIdentityCertContents;
-
+  std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
-  std::shared_ptr<TestTlsServerAuthorizationCheck>
+  identity_key_cert_pairs.emplace_back(key_cert_pair);
-      test_server_authorization_check(new TestTlsServerAuthorizationCheck());
+  auto certificate_provider = std::make_shared<StaticDataCertificateProvider>(
-  std::shared_ptr<TlsServerAuthorizationCheckConfig>
+      kRootCertContents, identity_key_cert_pairs);
-      server_authorization_check_config(new TlsServerAuthorizationCheckConfig(
+  auto test_server_authorization_check =
-          test_server_authorization_check));
+      std::make_shared<TestTlsServerAuthorizationCheck>();
-
+  auto server_authorization_check_config =
-  TlsCredentialsOptions options = TlsCredentialsOptions(
+      std::make_shared<TlsServerAuthorizationCheckConfig>(
-      GRPC_TLS_SERVER_VERIFICATION, nullptr, credential_reload_config,
+          test_server_authorization_check);
  grpc::experimental::TlsChannelCredentialsOptions options(
      certificate_provider);
  options.watch_root_certs();
  options.set_root_cert_name(kRootCertName);
  options.watch_identity_key_cert_pairs();
  options.set_identity_cert_name(kIdentityCertName);
  options.set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
  options.set_server_authorization_check_config(
      server_authorization_check_config);
-  std::shared_ptr<grpc::ChannelCredentials> channel_credentials =
+  auto channel_credentials = grpc::experimental::TlsCredentials(options);
      grpc::experimental::TlsCredentials(options);
  GPR_ASSERT(channel_credentials.get() != nullptr);
 }
-TEST_F(CredentialsTest, TlsCredentialReloadConfigErrorMessages) {
+// ChannelCredentials should always have root credential presented.
-  std::shared_ptr<TlsCredentialReloadConfig> config(
+// Otherwise the system root certificates will be loaded, which will cause
-      new TlsCredentialReloadConfig(nullptr));
+// failure in some tests under MacOS/Windows.
-  grpc_tls_credential_reload_arg* c_arg = new grpc_tls_credential_reload_arg;
+TEST(CredentialsTest,
-  c_arg->error_details = new grpc_tls_error_details();
+     TlsChannelCredentialsWithStaticDataCertificateProviderLoadingRootOnly) {
-  c_arg->context = nullptr;
+  auto certificate_provider =
-  TlsCredentialReloadArg* arg = new TlsCredentialReloadArg(c_arg);
+      std::make_shared<StaticDataCertificateProvider>(kRootCertContents);
-  int schedule_output = config->Schedule(arg);
+  auto test_server_authorization_check =
-
+      std::make_shared<TestTlsServerAuthorizationCheck>();
-  EXPECT_EQ(schedule_output, 1);
+  auto server_authorization_check_config =
-  EXPECT_EQ(arg->status(), GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
+      std::make_shared<TlsServerAuthorizationCheckConfig>(
-  EXPECT_STREQ(arg->error_details().c_str(),
+          test_server_authorization_check);
-               "the interface of the credential reload config is nullptr");
+  GPR_ASSERT(certificate_provider != nullptr);
-
+  GPR_ASSERT(certificate_provider->c_provider() != nullptr);
-  arg->set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED);
+  grpc::experimental::TlsChannelCredentialsOptions options(
-  config->Cancel(arg);
+      certificate_provider);
-  EXPECT_EQ(arg->status(), GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL);
+  options.watch_root_certs();
-  EXPECT_STREQ(arg->error_details().c_str(),
+  options.set_root_cert_name(kRootCertName);
-               "the interface of the credential reload config is nullptr");
+  options.set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
-
+  options.set_server_authorization_check_config(
-  // Cleanup.
+      server_authorization_check_config);
-  if (c_arg->destroy_context != nullptr) {
+  auto channel_credentials = grpc::experimental::TlsCredentials(options);
-    c_arg->destroy_context(c_arg->context);
+  GPR_ASSERT(channel_credentials.get() != nullptr);
  }
  delete c_arg->error_details;
  delete c_arg;
  delete config->c_config();
 }
-TEST_F(CredentialsTest, TlsServerAuthorizationCheckConfigErrorMessages) {
+TEST(CredentialsTest, TlsServerAuthorizationCheckConfigErrorMessages) {
  std::shared_ptr<TlsServerAuthorizationCheckConfig> config(
      new TlsServerAuthorizationCheckConfig(nullptr));
  grpc_tls_server_authorization_check_arg* c_arg =
@ -742,9 +437,9 @@ TEST_F(CredentialsTest, TlsServerAuthorizationCheckConfigErrorMessages) {
    c_arg->destroy_context(c_arg->context);
  }
  delete c_arg;
  delete config->c_config();
 }
 }  // namespace
 }  // namespace testing
 }  // namespace grpc
--- a/test/cpp/server/BUILD
+++ b/test/cpp/server/BUILD
@ -59,3 +59,17 @@ grpc_cc_test(
        "//test/core/util:grpc_test_util_unsecure",
    ],
 )
 grpc_cc_test(
    name = "credentials_test",
    srcs = ["credentials_test.cc"],
    external_deps = [
        "gtest",
    ],
    deps = [
        "//:gpr",
        "//:grpc",
        "//:grpc++",
        "//test/core/util:grpc_test_util",
    ],
 )
--- a/test/cpp/server/credentials_test.cc
+++ b/test/cpp/server/credentials_test.cc
@ -0,0 +1,98 @@
 //
 // Copyright 2020 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 #include <gmock/gmock.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpcpp/security/server_credentials.h>
 #include <grpcpp/security/tls_credentials_options.h>
 #include <gtest/gtest.h>
 #include <memory>
 #include "src/cpp/client/secure_credentials.h"
 #include "test/core/util/port.h"
 #include "test/core/util/test_config.h"
 namespace {
 constexpr const char* kRootCertName = "root_cert_name";
 constexpr const char* kRootCertContents = "root_cert_contents";
 constexpr const char* kIdentityCertName = "identity_cert_name";
 constexpr const char* kIdentityCertPrivateKey = "identity_private_key";
 constexpr const char* kIdentityCertContents = "identity_cert_contents";
 using ::grpc::experimental::StaticDataCertificateProvider;
 }  // namespace
 namespace grpc {
 namespace testing {
 namespace {
 TEST(
    CredentialsTest,
    TlsServerCredentialsWithStaticDataCertificateProviderLoadingRootAndIdentity) {
  experimental::IdentityKeyCertPair key_cert_pair;
  key_cert_pair.private_key = kIdentityCertPrivateKey;
  key_cert_pair.certificate_chain = kIdentityCertContents;
  std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
  identity_key_cert_pairs.emplace_back(key_cert_pair);
  auto certificate_provider = std::make_shared<StaticDataCertificateProvider>(
      kRootCertContents, identity_key_cert_pairs);
  grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
  options.watch_root_certs();
  options.set_root_cert_name(kRootCertName);
  options.watch_identity_key_cert_pairs();
  options.set_identity_cert_name(kIdentityCertName);
  options.set_cert_request_type(
      GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
  auto server_credentials = grpc::experimental::TlsServerCredentials(options);
  GPR_ASSERT(server_credentials.get() != nullptr);
 }
 // ServerCredentials should always have identity credential presented.
 // Otherwise gRPC stack will fail.
 TEST(CredentialsTest,
     TlsServerCredentialsWithStaticDataCertificateProviderLoadingIdentityOnly) {
  experimental::IdentityKeyCertPair key_cert_pair;
  key_cert_pair.private_key = kIdentityCertPrivateKey;
  key_cert_pair.certificate_chain = kIdentityCertContents;
  std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
  // Adding two key_cert_pair(s) should still work.
  identity_key_cert_pairs.emplace_back(key_cert_pair);
  identity_key_cert_pairs.emplace_back(key_cert_pair);
  auto certificate_provider =
      std::make_shared<StaticDataCertificateProvider>(identity_key_cert_pairs);
  grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
  options.watch_identity_key_cert_pairs();
  options.set_identity_cert_name(kIdentityCertName);
  options.set_cert_request_type(
      GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
  auto server_credentials = grpc::experimental::TlsServerCredentials(options);
  GPR_ASSERT(server_credentials.get() != nullptr);
 }
 }  // namespace
 }  // namespace testing
 }  // namespace grpc
 int main(int argc, char** argv) {
  ::testing::InitGoogleTest(&argc, argv);
  grpc::testing::TestEnvironment env(argc, argv);
  int ret = RUN_ALL_TESTS();
  return ret;
 }
--- a/tools/doxygen/Doxyfile.c++
+++ b/tools/doxygen/Doxyfile.c++
@ -1010,6 +1010,7 @@ include/grpcpp/security/auth_context.h \
 include/grpcpp/security/auth_metadata_processor.h \
 include/grpcpp/security/credentials.h \
 include/grpcpp/security/server_credentials.h \
 include/grpcpp/security/tls_certificate_provider.h \
 include/grpcpp/security/tls_credentials_options.h \
 include/grpcpp/server.h \
 include/grpcpp/server_builder.h \
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@ -1010,6 +1010,7 @@ include/grpcpp/security/auth_context.h \
 include/grpcpp/security/auth_metadata_processor.h \
 include/grpcpp/security/credentials.h \
 include/grpcpp/security/server_credentials.h \
 include/grpcpp/security/tls_certificate_provider.h \
 include/grpcpp/security/tls_credentials_options.h \
 include/grpcpp/server.h \
 include/grpcpp/server_builder.h \
@ -1882,7 +1883,6 @@ src/core/lib/security/authorization/evaluate_args.cc \
 src/core/lib/security/authorization/evaluate_args.h \
 src/core/lib/security/authorization/mock_cel/activation.h \
 src/core/lib/security/authorization/mock_cel/cel_value.h \
 src/core/lib/security/certificate_provider.h \
 src/core/lib/security/context/security_context.cc \
 src/core/lib/security/context/security_context.h \
 src/core/lib/security/credentials/alts/alts_credentials.cc \
@ -1929,6 +1929,8 @@ src/core/lib/security/credentials/ssl/ssl_credentials.cc \
 src/core/lib/security/credentials/ssl/ssl_credentials.h \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h \
 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h \
 src/core/lib/security/credentials/tls/tls_credentials.cc \
@ -2126,6 +2128,7 @@ src/cpp/common/secure_auth_context.cc \
 src/cpp/common/secure_auth_context.h \
 src/cpp/common/secure_channel_arguments.cc \
 src/cpp/common/secure_create_auth_context.cc \
 src/cpp/common/tls_certificate_provider.cc \
 src/cpp/common/tls_credentials_options.cc \
 src/cpp/common/tls_credentials_options_util.cc \
 src/cpp/common/tls_credentials_options_util.h \
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@ -1725,7 +1725,6 @@ src/core/lib/security/authorization/evaluate_args.cc \
 src/core/lib/security/authorization/evaluate_args.h \
 src/core/lib/security/authorization/mock_cel/activation.h \
 src/core/lib/security/authorization/mock_cel/cel_value.h \
 src/core/lib/security/certificate_provider.h \
 src/core/lib/security/context/security_context.cc \
 src/core/lib/security/context/security_context.h \
 src/core/lib/security/credentials/alts/alts_credentials.cc \
@ -1772,6 +1771,8 @@ src/core/lib/security/credentials/ssl/ssl_credentials.cc \
 src/core/lib/security/credentials/ssl/ssl_credentials.h \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
 src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h \
 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h \
 src/core/lib/security/credentials/tls/tls_credentials.cc \
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json
@ -5833,6 +5833,30 @@
    ], 
    "uses_polling": true
  }, 
  {
    "args": [], 
    "benchmark": false, 
    "ci_platforms": [
      "linux", 
      "mac", 
      "posix", 
      "windows"
    ], 
    "cpu_cost": 1.0, 
    "exclude_configs": [], 
    "exclude_iomgrs": [], 
    "flaky": false, 
    "gtest": true, 
    "language": "c++", 
    "name": "test_cpp_server_credentials_test", 
    "platforms": [
      "linux", 
      "mac", 
      "posix", 
      "windows"
    ], 
    "uses_polling": true
  }, 
  {
    "args": [], 
    "benchmark": false,