diff --git a/v20.1/create-security-certificates-openssl.md b/v20.1/create-security-certificates-openssl.md index 49e70bc8de5..05194395fed 100644 --- a/v20.1/create-security-certificates-openssl.md +++ b/v20.1/create-security-certificates-openssl.md @@ -155,7 +155,7 @@ Note the following: -batch ~~~ -5. Reset database and index files. +6. Reset database and index files. {% include copy-clipboard.html %} ~~~ shell @@ -235,7 +235,20 @@ In the following steps, replace the placeholder text in the code with the actual -batch ~~~ -5. Upload certificates to the first node: +5. Verify the values in the `Subject Alternative Name` field in the certificate: + + {% include copy-clipboard.html %} + ~~~ shell + $ openssl x509 -in node-certs/node.crt -text | grep "X509v3 Subject Alternative Name" -A 1 + ~~~ + + Example output: + ~~~ + X509v3 Subject Alternative Name: critical + DNS:localhost, DNS:node.example.io, IP Address:127.0.0.1 + ~~~ + +6. Upload certificates to the first node: {% include copy-clipboard.html %} ~~~ shell @@ -250,7 +263,7 @@ In the following steps, replace the placeholder text in the code with the actual @:~/node-certs ~~~ -6. Delete the local copy of the first node's certificate and key: +7. Delete the local copy of the first node's certificate and key: {% include copy-clipboard.html %} ~~~ shell @@ -259,9 +272,9 @@ In the following steps, replace the placeholder text in the code with the actual {{site.data.alerts.callout_info}}This is necessary because the certificates and keys for additional nodes will also be named node.crt and node.key.{{site.data.alerts.end}} -7. Repeat steps 1 - 6 for each additional node. +8. Repeat steps 1 - 6 for each additional node. -8. Remove the `.pem` files in the `node-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires. +9. Remove the `.pem` files in the `node-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires. ### Step 3. Create the certificate and key pair for the `root` user @@ -287,7 +300,7 @@ In the following steps, replace the placeholder text in the code with the actual {{site.data.alerts.callout_danger}}The commonName parameter is vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName parameter. {{site.data.alerts.end}} -2. Create the key for the first client using the [`openssl genrsa`](https://www.openssl.org/docs/manmaster/man1/genrsa.html) command: +3. Create the key for the first client using the [`openssl genrsa`](https://www.openssl.org/docs/manmaster/man1/genrsa.html) command: {% include copy-clipboard.html %} ~~~ shell @@ -298,7 +311,7 @@ In the following steps, replace the placeholder text in the code with the actual $ chmod 400 client-certs/client.root.key ~~~ -3. Create the CSR for the first client using the [`openssl req`](https://www.openssl.org/docs/manmaster/man1/req.html) command: +4. Create the CSR for the first client using the [`openssl req`](https://www.openssl.org/docs/manmaster/man1/req.html) command: {% include copy-clipboard.html %} ~~~ shell @@ -310,7 +323,7 @@ In the following steps, replace the placeholder text in the code with the actual -batch ~~~ -4. Sign the client CSR to create the client certificate for the first client using the [`openssl ca`](https://www.openssl.org/docs/manmaster/man1/ca.html) command. You can set the client certificate expiration period using the `days` flag. We recommend using the CockroachDB default value of the client certificate expiration period, which is 1830 days. +5. Sign the client CSR to create the client certificate for the first client using the [`openssl ca`](https://www.openssl.org/docs/manmaster/man1/ca.html) command. You can set the client certificate expiration period using the `days` flag. We recommend using the CockroachDB default value of the client certificate expiration period, which is 1830 days. {% include copy-clipboard.html %} ~~~ shell @@ -327,9 +340,19 @@ In the following steps, replace the placeholder text in the code with the actual -batch ~~~ -5. Upload certificates to the first client using your preferred method. +6. Verify the values in the `CN` field in the certificate: + + {% include copy-clipboard.html %} + ~~~ shell + $ openssl x509 -in client-certs/client.root.crt -text | grep CN= + ~~~ -6. Repeat steps 1 - 5 for each additional client. + Output: + + ~~~ + Issuer: O=Cockroach, CN=Cockroach CA + Subject: O=Cockroach, CN=root + ~~~ 7. Remove the `.pem` files in the `client-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires. @@ -361,11 +384,11 @@ In the following steps, replace the placeholder text in the code with the actual > \q ~~~ -### Step 5. Create the certificate and key pair for a client +### Step 5. Create the certificate and key pair for a non-`root` client In the following steps, replace the placeholder text in the code with the actual username. -1. Create the `client.cnf` file for the client and copy the following configuration into it: +1. Edit the `client.cnf` file for the client and copy the following configuration into it: {% include copy-clipboard.html %} ~~~ @@ -420,11 +443,32 @@ In the following steps, replace the placeholder text in the code with the actual -batch ~~~ -5. Upload certificates to the first client using your preferred method. +5. Verify the values in the `CN` field in the certificate: + + {% include copy-clipboard.html %} + ~~~ shell + $ openssl x509 -in client-certs/client..crt -text | grep CN= + ~~~ -6. Repeat steps 1 - 5 for each additional client. + Example output: -7. Remove the `.pem` files in the `client-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires. + ~~~ + Issuer: O=Cockroach, CN=Cockroach CA + Subject: O=Cockroach, CN=roach + ~~~ + +6. Upload certificates to the client using your preferred method. + +7. Connect to the SQL client using the client certificate: + + {% include copy-clipboard.html %} + ~~~ shell + $ cockroach sql --certs-dir=client-certs --user=roach + ~~~ + +8. Repeat steps 1 - 7 for each additional client. + +9. Remove the `.pem` files in the `client-certs` directory. These files are unnecessary duplicates of the `.crt` files that CockroachDB requires. ## See also