A secure CockroachDB cluster uses TLS for encrypted inter-node and client-node communication, which requires CA, node, and client certificates and keys. To create these certificates and keys, use the cockroach cert
commands with the appropriate subcommands and flags, or use openssl
commands.
Subcommands
Subcommand | Usage |
---|---|
openssl genrsa |
Create an RSA private key. |
openssl req |
Create CA certificate and CSRs (certificate signing requests). |
openssl ca |
Create node and client certificates using the CSRs. |
Configuration Files
To use openssl req
and openssl ca
subcommands, you need the following configuration files:
File name pattern | File usage |
---|---|
ca.cnf |
CA configuration file |
node.cnf |
Server configuration file |
client.cnf |
Client configuration file |
Certificate Directory
To create node and client certificates using the OpenSSL commands, you need access to a local copy of the CA certificate and key. We recommend creating all certificates (node, client, and CA certificates), and node and client keys in one place and then distributing them appropriately. Store the CA key somewhere safe and keep a backup; if you lose it, you will not be able to add new nodes or clients to your cluster.
Use the openssl genrsa
and openssl req
subcommands to create all certificates, and node and client keys in a single directory, with the files named as follows:
File name pattern | File usage |
---|---|
ca.crt |
CA certificate |
node.crt |
Server certificate |
node.key |
Key for server certificate |
client.<user>.crt |
Client certificate for <user> (for example: client.root.crt for user root ) |
client.<user>.key |
Key for the client certificate |
Note the following:
The CA key should not be uploaded to the nodes and clients, so it should be created in a separate directory.
Keys (files ending in
.key
) must not have group or world permissions (maximum permissions are 0700, orrwx------
). This check can be disabled by setting the environment variableCOCKROACH_SKIP_KEY_PERMISSION_CHECK=true
.
Examples
Create the CA key and certificate pair
Create two directories:
$ mkdir certs
$ mkdir my-safe-directory
certs
: Create your CA certificate and all node and client certificates and keys in this directory and then upload the relevant files to the nodes and clients.my-safe-directory
: Create your CA key in this directory and then reference the key when generating node and client certificates. After that, keep the key safe and secret; do not upload it to your nodes or clients.
Create the
ca.cnf
file and copy the following configuration into it.You can set the CA certificate expiration period using the
default_days
parameter. We recommend using the CockroachDB default value of the CA certificate expiration period, which is 3660 days.# OpenSSL CA configuration file [ ca ] default_ca = CA_default [ CA_default ] default_days = 3660 database = index.txt serial = serial.txt default_md = sha256 copy_extensions = copy unique_subject = no # Used to create the CA certificate. [ req ] prompt=no distinguished_name = distinguished_name x509_extensions = extensions [ distinguished_name ] organizationName = Cockroach commonName = Cockroach CA [ extensions ] keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign basicConstraints = critical,CA:true,pathlen:1 # Common policy for nodes and users. [ signing_policy ] organizationName = supplied commonName = supplied # Used to sign node certificates. [ signing_node_req ] keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = serverAuth,clientAuth # Used to sign client certificates. [ signing_client_req ] keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = clientAuth
Note:ThekeyUsage
andextendedkeyUsage
parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit thekeyUsage
andextendedkeyUsage
parameters.Create the CA key using the
openssl genrsa
command:$ openssl genrsa -out my-safe-directory/ca.key 2048
$ chmod 400 my-safe-directory/ca.key
Create the CA certificate using the
openssl req
command:$ openssl req \ -new \ -x509 \ -config ca.cnf \ -key my-safe-directory/ca.key \ -out certs/ca.crt \ -days 3660 \ -batch
Reset database and index files.
$ rm -f index.txt serial.txt
$ touch index.txt
$ echo '01' > serial.txt
Create the certificate and key pairs for nodes
In the following steps, replace the placeholder text in the code with the actual username and node address.
Create the
node.cnf
file for the first node and copy the following configuration into it:# OpenSSL node configuration file [ req ] prompt=no distinguished_name = distinguished_name req_extensions = extensions [ distinguished_name ] organizationName = Cockroach # Required value for commonName, do not change. commonName = node [ extensions ] subjectAltName = DNS:<node-hostname>,DNS:<node-domain>,IP:<IP Address>
Warning:ThecommonName
andsubjectAltName
parameters are vital for CockroachDB functions. It is also required thatcommonName
be set tonode
. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit thecommonName
andsubjectAltName
parameters.Create the key for the first node using the
openssl genrsa
command:$ openssl genrsa -out certs/node.key 2048
$ chmod 400 certs/node.key
Create the CSR for the first node using the
openssl req
command:# Create Node certificate signing request. $ openssl req \ -new \ -config node.cnf \ -key certs/node.key \ -out node.csr \ -batch
Sign the node CSR to create the node certificate for the first node using the
openssl ca
command.You can set the node certificate expiration period using the
days
flag. We recommend using the CockroachDB default value of the node certificate expiration period, which is 1830 days.# Sign the CSR using the CA key. $ openssl ca \ -config ca.cnf \ -keyfile my-safe-directory/ca.key \ -cert certs/ca.crt \ -policy signing_policy \ -extensions signing_node_req \ -out certs/node.crt \ -outdir certs/ \ -in node.csr \ -days 1830 \ -batch
Upload certificates to the first node:
# Create the certs directory: $ ssh <username>@<node1 address> "mkdir certs"
# Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node1 address>:~/certs
Delete the local copy of the first node's certificate and key:
$ rm certs/node.crt certs/node.key
Note:This is necessary because the certificates and keys for additional nodes will also be namednode.crt
andnode.key
.Repeat steps 1 - 6 for each additional node.
Remove the
.pem
files in thecerts
directory. These files are unnecessary duplicates of the.crt
files that CockroachDB requires.
Create the certificate and key pair for a client
In the following steps, replace the placeholder text in the code with the actual username.
Create the
client.cnf
file for the first client and copy the following configuration into it:# OpenSSL client configuration file [ req ] prompt=no distinguished_name = distinguished_name [ distinguished_name ] organizationName = Cockroach commonName = <username>
Note:ThecommonName
parameter is vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit thecommonName
parameter.Create the key for the first client using the
openssl genrsa
command:$ openssl genrsa -out certs/client.<username>.key 2048
$ chmod 400 certs/client.<username>.key
Create the CSR for the first client using the
openssl req
command:# Create client certificate signing request $ openssl req \ -new \ -config client.cnf \ -key certs/client.<username>.key \ -out client.<username>.csr \ -batch
Sign the client CSR to create the client certificate for the first client using the
openssl ca
command. You can set the client certificate expiration period using thedays
flag. We recommend using the CockroachDB default value of the client certificate expiration period, which is 1830 days.$ openssl ca \ -config ca.cnf \ -keyfile my-safe-directory/ca.key \ -cert certs/ca.crt \ -policy signing_policy \ -extensions signing_client_req \ -out certs/client.<username>.crt \ -outdir certs/ \ -in client.<username>.csr \ -days 1830 \ -batch
Upload certificates to the first client using your preferred method.
Repeat steps 1 - 5 for each additional client.
Remove the
.pem
files in thecerts
directory. These files are unnecessary duplicates of the.crt
files that CockroachDB requires.
See Also
- Manual Deployment: Learn about starting a multi-node secure cluster and accessing it from a client.
- Start a Node: Learn more about the flags you pass when adding a node to a secure cluster.
- Client Connection Parameters