Skip to content

Commit

Permalink
single directory updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@Amruta-Ranade
Amruta-Ranade committed Apr 14, 2020
1 parent 5f4794c commit 4f1c3f1
Showing 1 changed file with 36 additions and 44 deletions.
80 changes: 36 additions & 44 deletions v20.1/create-security-certificates-openssl.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,13 @@ Note the following:

### Step 1. Create the CA key and certificate pair

1. Create three directories:
1. Create two directories:

{% include copy-clipboard.html %}
~~~ shell
$ mkdir node-certs client-certs my-safe-directory
$ mkdir certs my-safe-directory
~~~
- `node-certs`: Create your CA certificate and all node certificates and keys in this directory and then upload the relevant files to the nodes.
- `client-certs`: Copy your CA certificate to this folder and create all client certificates and keys in this directory and then upload the relevant files to the clients.
- `certs`: Create your CA certificate and all node and client certificates and keys in this directory and then upload the relevant files to the nodes and clients.
- `my-safe-directory`: Create your CA key in this directory and then reference the key when generating node and client certificates. After that, keep the key safe and secret; do not upload it to your nodes or clients.

2. Create the `ca.cnf` file and copy the following configuration into it.
Expand Down Expand Up @@ -150,7 +149,7 @@ Note the following:
-x509 \
-config ca.cnf \
-key my-safe-directory/ca.key \
-out node-certs/ca.crt \
-out certs/ca.crt \
-days 365 \
-batch
~~~
Expand Down Expand Up @@ -197,11 +196,11 @@ In the following steps, replace the placeholder text in the code with the actual

{% include copy-clipboard.html %}
~~~ shell
$ openssl genrsa -out node-certs/node.key 2048
$ openssl genrsa -out certs/node.key 2048
~~~
{% include copy-clipboard.html %}
~~~ shell
$ chmod 400 node-certs/node.key
$ chmod 400 certs/node.key
~~~

3. Create the CSR for the first node using the [`openssl req`](https://www.openssl.org/docs/manmaster/man1/req.html) command:
Expand All @@ -211,7 +210,7 @@ In the following steps, replace the placeholder text in the code with the actual
$ openssl req \
-new \
-config node.cnf \
-key node-certs/node.key \
-key certs/node.key \
-out node.csr \
-batch
~~~
Expand All @@ -223,11 +222,11 @@ In the following steps, replace the placeholder text in the code with the actual
$ openssl ca \
-config ca.cnf \
-keyfile my-safe-directory/ca.key \
-cert node-certs/ca.crt \
-cert certs/ca.crt \
-policy signing_policy \
-extensions signing_node_req \
-out node-certs/node.crt \
-outdir node-certs/ \
-out certs/node.crt \
-outdir certs/ \
-in node.csr \
-batch
~~~
Expand All @@ -236,7 +235,7 @@ In the following steps, replace the placeholder text in the code with the actual

{% include copy-clipboard.html %}
~~~ shell
$ openssl x509 -in node-certs/node.crt -text | grep "X509v3 Subject Alternative Name" -A 1
$ openssl x509 -in certs/node.crt -text | grep "X509v3 Subject Alternative Name" -A 1
~~~

Sample output:
Expand All @@ -246,18 +245,11 @@ In the following steps, replace the placeholder text in the code with the actual
DNS:localhost, DNS:node.example.io, IP Address:127.0.0.1
~~~

6. Remove the `.pem` files in the `node-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires.
6. Remove the `.pem` files in the `certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires.

This comment has been minimized.

Sign in to view

Copy link
@dbist

dbist Apr 14, 2020

Contributor

this can be done only once at the end, now that every cert is in the same directory.

This comment has been minimized.

Sign in to view

Copy link
@Amruta-Ranade

Amruta-Ranade Apr 14, 2020

Author Contributor

So I restructured the doc a bit -- moved the step of uploading to each node/client to the end of the doc. Should they delete the .pem files at the very end or after every cert creation?

### Step 3. Create the certificate and key pair for the first user

1. Copy the `ca.crt` from the `node-certs` directory to the `client-certs` directory

{% include copy-clipboard.html %}
~~~ shell
$ cp node-certs/ca.crt client-certs
~~~

2. Create the `client.cnf` file for the first user and copy the following configuration into it:
1. Create the `client.cnf` file for the first user and copy the following configuration into it:

{% include copy-clipboard.html %}
~~~
Expand All @@ -276,50 +268,50 @@ In the following steps, replace the placeholder text in the code with the actual

{{site.data.alerts.callout_danger}}The <code>commonName</code> and <code>subjectAltName</code> parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the <code>commonName</code> parameter or modify the <code>subjectAltName</code> parameter. {{site.data.alerts.end}}

3. Create the key for the first client using the [`openssl genrsa`](https://www.openssl.org/docs/manmaster/man1/genrsa.html) command:
2. Create the key for the first client using the [`openssl genrsa`](https://www.openssl.org/docs/manmaster/man1/genrsa.html) command:

{% include copy-clipboard.html %}
~~~ shell
$ openssl genrsa -out client-certs/client.<username_1>.key 2048
$ openssl genrsa -out certs/client.<username_1>.key 2048
~~~
{% include copy-clipboard.html %}
~~~ shell
$ chmod 400 client-certs/client.<username_1>.key
$ chmod 400 certs/client.<username_1>.key
~~~

4. Create the CSR for the first client using the [`openssl req`](https://www.openssl.org/docs/manmaster/man1/req.html) command:
3. Create the CSR for the first client using the [`openssl req`](https://www.openssl.org/docs/manmaster/man1/req.html) command:

{% include copy-clipboard.html %}
~~~ shell
$ openssl req \
-new \
-config client.cnf \
-key client-certs/client.<username_1>.key \
-key certs/client.<username_1>.key \
-out client.<username_1>.csr \
-batch
~~~

5. Sign the client CSR to create the client certificate for the first client using the [`openssl ca`](https://www.openssl.org/docs/manmaster/man1/ca.html) command.
4. Sign the client CSR to create the client certificate for the first client using the [`openssl ca`](https://www.openssl.org/docs/manmaster/man1/ca.html) command.

{% include copy-clipboard.html %}
~~~ shell
$ openssl ca \
-config ca.cnf \
-keyfile my-safe-directory/ca.key \
-cert client-certs/ca.crt \
-cert certs/ca.crt \
-policy signing_policy \
-extensions signing_client_req \
-out client-certs/client.<username_1>.crt \
-outdir client-certs/ \
-out certs/client.<username_1>.crt \
-outdir certs/ \
-in client.<username_1>.csr \
-batch
~~~

6. Verify the values in the `CN` field in the certificate:
5. Verify the values in the `CN` field in the certificate:

{% include copy-clipboard.html %}
~~~ shell
$ openssl x509 -in client-certs/client.<username_1>.crt -text | grep CN=
$ openssl x509 -in certs/client.<username_1>.crt -text | grep CN=
~~~

Sample Output:
Expand All @@ -329,22 +321,22 @@ In the following steps, replace the placeholder text in the code with the actual
Subject: O=Cockroach, CN=maxroach
~~~

7. Remove the `.pem` files in the `client-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires.
6. Remove the `.pem` files in the `certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires.

### Step 4. Start a local cluster and connect using a connection URL

1. Start a single-node cluster:

{% include copy-clipboard.html %}
~~~ shell
$ cockroach start-single-node --certs-dir=node-certs --cert-principal-map=<node-domain>:node,<username_1>:root --background
$ cockroach start-single-node --certs-dir=certs --cert-principal-map=<node-domain>:node,<username_1>:root --background
~~~

2. Connect to the cluster using a connection URL:

{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql --url='postgres://<hostname>:26257/?sslmode=verify-full&sslrootcert=client-certs/ca.crt&sslcert=client-certs/client.<username_1>.crt&sslkey=client-certs/client.<username_1>.key&sslmode=verify-full'
$ cockroach sql --url='postgres://<hostname>:26257/?sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.<username_1>.crt&sslkey=certs/client.<username_1>.key&sslmode=verify-full'
~~~

3. Create a new SQL user:
Expand Down Expand Up @@ -382,11 +374,11 @@ In the following steps, replace the placeholder text in the code with the actual

{% include copy-clipboard.html %}
~~~ shell
$ openssl genrsa -out client-certs/client.<username_2>.key 2048
$ openssl genrsa -out certs/client.<username_2>.key 2048
~~~
{% include copy-clipboard.html %}
~~~ shell
$ chmod 400 client-certs/client.<username_2>.key
$ chmod 400 certs/client.<username_2>.key
~~~

3. Create the CSR for the first client using the [`openssl req`](https://www.openssl.org/docs/manmaster/man1/req.html) command:
Expand All @@ -396,7 +388,7 @@ In the following steps, replace the placeholder text in the code with the actual
$ openssl req \
-new \
-config client.cnf \
-key client-certs/client.<username_2>.key \
-key certs/client.<username_2>.key \
-out client.<username_2>.csr \
-batch
~~~
Expand All @@ -408,11 +400,11 @@ In the following steps, replace the placeholder text in the code with the actual
$ openssl ca \
-config ca.cnf \
-keyfile my-safe-directory/ca.key \
-cert client-certs/ca.crt \
-cert certs/ca.crt \
-policy signing_policy \
-extensions signing_client_req \
-out client-certs/client.<username_2>.crt \
-outdir client-certs/ \
-out certs/client.<username_2>.crt \
-outdir certs/ \
-in client.<username_2>.csr \
-batch
~~~
Expand All @@ -421,7 +413,7 @@ In the following steps, replace the placeholder text in the code with the actual

{% include copy-clipboard.html %}
~~~ shell
$ openssl x509 -in client-certs/client.<username_2>.crt -text | grep CN=
$ openssl x509 -in certs/client.<username_2>.crt -text | grep CN=
~~~

Sample output:
Expand All @@ -435,10 +427,10 @@ In the following steps, replace the placeholder text in the code with the actual

{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql --certs-dir=client-certs --user=<username_2>
$ cockroach sql --url='postgres://<username_2>@<hostname>:26257/?sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.<username_2>.crt&sslkey=certs/client.<username_2>.key&sslmode=verify-full'
~~~

7. Remove the `.pem` files in the `client-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires.
7. Remove the `.pem` files in the `certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires.

For each node in your deployment, repeat [Step 2](#step-2-create-the-certificate-and-key-pairs-for-nodes) and upload the CA certificate and node key and certificate to the node. For each client, repeat [Step 5](#step-5-create-the-certificate-and-key-pair-for-a-client) and upload the CA certificate and client key and certificate to the client.

Expand Down

0 comments on commit 4f1c3f1

Please sign in to comment.