Create Security Certificates

A secure CockroachDB cluster uses TLS for encrypted inter-node and client-node communication, which requires CA, node, and client certificates and keys. To create these certificates and keys, use the cockroach cert commands with the appropriate subcommands and flags, or use openssl commands.

Subcommands

Subcommand	Usage
openssl genrsa	Create an RSA private key.
openssl req	Create CA certificate and CSRs (certificate signing requests).
openssl ca	Create node and client certificates using the CSRs.

Configuration Files

To use openssl req and openssl ca subcommands, you need the following configuration files:

File name pattern	File usage
ca.cnf	CA configuration file
node.cnf	Server configuration file
client.cnf	Client configuration file

Certificate Directory

To create node and client certificates using the OpenSSL commands, you need access to a local copy of the CA certificate and key. We recommend creating all certificates (node, client, and CA certificates), and node and client keys in one place and then distributing them appropriately. Store the CA key somewhere safe and keep a backup; if you lose it, you will not be able to add new nodes or clients to your cluster.

Use the openssl genrsa and openssl req subcommands to create all certificates, and node and client keys in a single directory, with the files named as follows:

File name pattern	File usage
ca.crt	CA certificate
node.crt	Server certificate
node.key	Key for server certificate
client.<user>.crt	Client certificate for <user> (for example: client.root.crt for user root)
client.<user>.key	Key for the client certificate

Note the following:

• The CA key should not be uploaded to the nodes and clients, so it should be created in a separate directory.

• Keys (files ending in .key) must not have group or world permissions (maximum permissions are 0700, or rwx------). This check can be disabled by setting the environment variable COCKROACH_SKIP_KEY_PERMISSION_CHECK=true.

Examples

Create the CA key and certificate pair

1. Create two directories:

   $ mkdir certs
   

   $ mkdir my-safe-directory
   

   • certs: Create your CA certificate and all node and client certificates and keys in this directory and then upload the relevant files to the nodes and clients.
   • my-safe-directory: Create your CA key in this directory and then reference the key when generating node and client certificates. After that, keep the key safe and secret; do not upload it to your nodes or clients.

2. Create the ca.cnf file and copy the following configuration into it.

   You can set the CA certificate expiration period using the default_days parameter. We recommend using the CockroachDB default value of the CA certificate expiration period, which is 3660 days.

   # OpenSSL CA configuration file
   [ ca ]
   default_ca = CA_default
   
   [ CA_default ]
   default_days = 3660
   database = index.txt
   serial = serial.txt 
   default_md = sha256 
   copy_extensions = copy
   unique_subject = no
   
   # Used to create the CA certificate.
   [ req ]
   prompt=no
   distinguished_name = distinguished_name
   x509_extensions = extensions
   
   [ distinguished_name ]
   organizationName = Cockroach
   commonName = Cockroach CA
   
   [ extensions ]
   keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
   basicConstraints = critical,CA:true,pathlen:1
   
   # Common policy for nodes and users.
   [ signing_policy ]
   organizationName = supplied
   commonName = supplied
   
   # Used to sign node certificates.
   [ signing_node_req ]
   keyUsage = critical,digitalSignature,keyEncipherment
   extendedKeyUsage = serverAuth,clientAuth
   
   # Used to sign client certificates.
   [ signing_client_req ]
   keyUsage = critical,digitalSignature,keyEncipherment
   extendedKeyUsage = clientAuth
   

   Note:

   The keyUsage and extendedkeyUsage parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the keyUsage and extendedkeyUsage parameters.

3. Create the CA key using the openssl genrsa command:

   $ openssl genrsa -out my-safe-directory/ca.key 2048
   

   $ chmod 400 my-safe-directory/ca.key
   

4. Create the CA certificate using the openssl req command:

   $ openssl req \
   -new \
   -x509 \
   -config ca.cnf \
   -key my-safe-directory/ca.key \
   -out certs/ca.crt \
   -days 3660 \
   -batch
   

5. Reset database and index files.

   $ rm -f index.txt serial.txt
   

   $ touch index.txt
   

   $ echo '01' > serial.txt
   

Create the certificate and key pairs for nodes

In the following steps, replace the placeholder text in the code with the actual username and node address.

1. Create the node.cnf file for the first node and copy the following configuration into it:

   # OpenSSL node configuration file
   [ req ]
   prompt=no
   distinguished_name = distinguished_name
   req_extensions = extensions
   
   [ distinguished_name ]
   organizationName = Cockroach
   # Required value for commonName, do not change.
   commonName = node
   
   [ extensions ]
   subjectAltName = DNS:<node-hostname>,DNS:<node-domain>,IP:<IP Address>
   

   Warning:

   The commonName and subjectAltName parameters are vital for CockroachDB functions. It is also required that commonName be set to node. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName and subjectAltName parameters.

2. Create the key for the first node using the openssl genrsa command:

   $ openssl genrsa -out certs/node.key 2048 
   

   $ chmod 400 certs/node.key
   

3. Create the CSR for the first node using the openssl req command:

   # Create Node certificate signing request.
   $ openssl req \
   -new \
   -config node.cnf \
   -key certs/node.key \
   -out node.csr \
   -batch
   

4. Sign the node CSR to create the node certificate for the first node using the openssl ca command.

   You can set the node certificate expiration period using the days flag. We recommend using the CockroachDB default value of the node certificate expiration period, which is 1830 days.

   # Sign the CSR using the CA key.
   $ openssl ca \
   -config ca.cnf \
   -keyfile my-safe-directory/ca.key \
   -cert certs/ca.crt \
   -policy signing_policy \
   -extensions signing_node_req \
   -out certs/node.crt \
   -outdir certs/ \
   -in node.csr \
   -days 1830 \
   -batch
   

5. Upload certificates to the first node:

   # Create the certs directory:
   $ ssh <username>@<node1 address> "mkdir certs"
   

   # Upload the CA certificate and node certificate and key:
   $ scp certs/ca.crt \
   certs/node.crt \
   certs/node.key \
   <username>@<node1 address>:~/certs
   

6. Delete the local copy of the first node's certificate and key:

   $ rm certs/node.crt certs/node.key
   

   Note:

   This is necessary because the certificates and keys for additional nodes will also be named node.crt and node.key.

7. Repeat steps 1 - 6 for each additional node.

8. Remove the .pem files in the certs directory. These files are unnecessary duplicates of the .crt files that CockroachDB requires.

Create the certificate and key pair for a client

In the following steps, replace the placeholder text in the code with the actual username.

1. Create the client.cnf file for the first client and copy the following configuration into it:

   # OpenSSL client configuration file
   [ req ]
   prompt=no
   distinguished_name = distinguished_name
   
   [ distinguished_name ]
   organizationName = Cockroach
   commonName = <username>
   

   Note:

   The commonName parameter is vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName parameter.

2. Create the key for the first client using the openssl genrsa command:

   $ openssl genrsa -out certs/client.<username>.key 2048
   

   $ chmod 400 certs/client.<username>.key
   

3. Create the CSR for the first client using the openssl req command:

   # Create client certificate signing request
   $ openssl req \
   -new \
   -config client.cnf \
   -key certs/client.<username>.key \
   -out client.<username>.csr \
   -batch
   

4. Sign the client CSR to create the client certificate for the first client using the openssl ca command. You can set the client certificate expiration period using the days flag. We recommend using the CockroachDB default value of the client certificate expiration period, which is 1830 days.

   $ openssl ca \
   -config ca.cnf \
   -keyfile my-safe-directory/ca.key \
   -cert certs/ca.crt \
   -policy signing_policy \
   -extensions signing_client_req \
   -out certs/client.<username>.crt \
   -outdir certs/ \
   -in client.<username>.csr \
   -days 1830 \
   -batch
   

5. Upload certificates to the first client using your preferred method.

6. Repeat steps 1 - 5 for each additional client.

7. Remove the .pem files in the certs directory. These files are unnecessary duplicates of the .crt files that CockroachDB requires.

See Also

• Manual Deployment: Learn about starting a multi-node secure cluster and accessing it from a client.
• Start a Node: Learn more about the flags you pass when adding a node to a secure cluster.
• Client Connection Parameters