A secure CockroachDB cluster uses TLS for encrypted inter-node and client-node communication, which requires CA, node, and client certificates and keys. To create these certificates and keys, use the cockroach cert commands with the appropriate subcommands and flags, or use openssl commands.

Subcommands

Subcommand Usage
openssl genrsa Create an RSA private key.
openssl req Create CA certificate and CSRs (certificate signing requests).
openssl ca Create node and client certificates using the CSRs.

Configuration Files

To use openssl req and openssl ca subcommands, you need the following configuration files:

File name pattern File usage
ca.cnf CA configuration file
node.cnf Server configuration file
client.cnf Client configuration file

Certificate Directory

To create node and client certificates using the OpenSSL commands, you need access to a local copy of the CA certificate and key. We recommend creating all certificates (node, client, and CA certificates), and node and client keys in one place and then distributing them appropriately. Store the CA key somewhere safe and keep a backup; if you lose it, you will not be able to add new nodes or clients to your cluster.

Use the openssl genrsa and openssl req subcommands to create all certificates, and node and client keys in a single directory, with the files named as follows:

File name pattern File usage
ca.crt CA certificate
node.crt Server certificate
node.key Key for server certificate
client.<user>.crt Client certificate for <user> (for example: client.root.crt for user root)
client.<user>.key Key for the client certificate

Note the following:

  • The CA key should not be uploaded to the nodes and clients, so it should be created in a separate directory.

  • Keys (files ending in .key) must not have group or world permissions (maximum permissions are 0700, or rwx------). This check can be disabled by setting the environment variable COCKROACH_SKIP_KEY_PERMISSION_CHECK=true.

Examples

Create the CA key and certificate pair

  1. Create two directories:

    copy
    icon/buttons/copy
    $ mkdir certs
    
    copy
    icon/buttons/copy
    $ mkdir my-safe-directory
    
    • certs: Create your CA certificate and all node and client certificates and keys in this directory and then upload the relevant files to the nodes and clients.
    • my-safe-directory: Create your CA key in this directory and then reference the key when generating node and client certificates. After that, keep the key safe and secret; do not upload it to your nodes or clients.
  2. Create the ca.cnf file and copy the following configuration into it.

    You can set the CA certificate expiration period using the default_days parameter. We recommend using the CockroachDB default value of the CA certificate expiration period, which is 3660 days.

    copy
    icon/buttons/copy
    # OpenSSL CA configuration file
    [ ca ]
    default_ca = CA_default
    
    [ CA_default ]
    default_days = 3660
    database = index.txt
    serial = serial.txt 
    default_md = sha256 
    copy_extensions = copy
    unique_subject = no
    
    # Used to create the CA certificate.
    [ req ]
    prompt=no
    distinguished_name = distinguished_name
    x509_extensions = extensions
    
    [ distinguished_name ]
    organizationName = Cockroach
    commonName = Cockroach CA
    
    [ extensions ]
    keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
    basicConstraints = critical,CA:true,pathlen:1
    
    # Common policy for nodes and users.
    [ signing_policy ]
    organizationName = supplied
    commonName = supplied
    
    # Used to sign node certificates.
    [ signing_node_req ]
    keyUsage = critical,digitalSignature,keyEncipherment
    extendedKeyUsage = serverAuth,clientAuth
    
    # Used to sign client certificates.
    [ signing_client_req ]
    keyUsage = critical,digitalSignature,keyEncipherment
    extendedKeyUsage = clientAuth
    
    Note:
    The keyUsage and extendedkeyUsage parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the keyUsage and extendedkeyUsage parameters.
  3. Create the CA key using the openssl genrsa command:

    copy
    icon/buttons/copy
    $ openssl genrsa -out my-safe-directory/ca.key 2048
    
    copy
    icon/buttons/copy
    $ chmod 400 my-safe-directory/ca.key
    
  4. Create the CA certificate using the openssl req command:

    copy
    icon/buttons/copy
    $ openssl req \
    -new \
    -x509 \
    -config ca.cnf \
    -key my-safe-directory/ca.key \
    -out certs/ca.crt \
    -days 3660 \
    -batch
    
  5. Reset database and index files.

    copy
    icon/buttons/copy
    $ rm -f index.txt serial.txt
    
    copy
    icon/buttons/copy
    $ touch index.txt
    
    copy
    icon/buttons/copy
    $ echo '01' > serial.txt
    

Create the certificate and key pairs for nodes

In the following steps, replace the placeholder text in the code with the actual username and node address.

  1. Create the node.cnf file for the first node and copy the following configuration into it:

    copy
    icon/buttons/copy
    # OpenSSL node configuration file
    [ req ]
    prompt=no
    distinguished_name = distinguished_name
    req_extensions = extensions
    
    [ distinguished_name ]
    organizationName = Cockroach
    # Required value for commonName, do not change.
    commonName = node
    
    [ extensions ]
    subjectAltName = DNS:<node-hostname>,DNS:<node-domain>,IP:<IP Address>
    
    Warning:
    The commonName and subjectAltName parameters are vital for CockroachDB functions. It is also required that commonName be set to node. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName and subjectAltName parameters.
  2. Create the key for the first node using the openssl genrsa command:

    copy
    icon/buttons/copy
    $ openssl genrsa -out certs/node.key 2048 
    
    copy
    icon/buttons/copy
    $ chmod 400 certs/node.key
    
  3. Create the CSR for the first node using the openssl req command:

    copy
    icon/buttons/copy
    # Create Node certificate signing request.
    $ openssl req \
    -new \
    -config node.cnf \
    -key certs/node.key \
    -out node.csr \
    -batch
    
  4. Sign the node CSR to create the node certificate for the first node using the openssl ca command.

    You can set the node certificate expiration period using the days flag. We recommend using the CockroachDB default value of the node certificate expiration period, which is 1830 days.

    copy
    icon/buttons/copy
    # Sign the CSR using the CA key.
    $ openssl ca \
    -config ca.cnf \
    -keyfile my-safe-directory/ca.key \
    -cert certs/ca.crt \
    -policy signing_policy \
    -extensions signing_node_req \
    -out certs/node.crt \
    -outdir certs/ \
    -in node.csr \
    -days 1830 \
    -batch
    
  5. Upload certificates to the first node:

    copy
    icon/buttons/copy
    # Create the certs directory:
    $ ssh <username>@<node1 address> "mkdir certs"
    
    copy
    icon/buttons/copy
    # Upload the CA certificate and node certificate and key:
    $ scp certs/ca.crt \
    certs/node.crt \
    certs/node.key \
    <username>@<node1 address>:~/certs
    
  6. Delete the local copy of the first node's certificate and key:

    copy
    icon/buttons/copy
    $ rm certs/node.crt certs/node.key
    
    Note:
    This is necessary because the certificates and keys for additional nodes will also be named node.crt and node.key.
  7. Repeat steps 1 - 6 for each additional node.

  8. Remove the .pem files in the certs directory. These files are unnecessary duplicates of the .crt files that CockroachDB requires.

Create the certificate and key pair for a client

In the following steps, replace the placeholder text in the code with the actual username.

  1. Create the client.cnf file for the first client and copy the following configuration into it:

    copy
    icon/buttons/copy
    # OpenSSL client configuration file
    [ req ]
    prompt=no
    distinguished_name = distinguished_name
    
    [ distinguished_name ]
    organizationName = Cockroach
    commonName = <username>
    
    Note:
    The commonName parameter is vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName parameter.
  2. Create the key for the first client using the openssl genrsa command:

    copy
    icon/buttons/copy
    $ openssl genrsa -out certs/client.<username>.key 2048
    
    copy
    icon/buttons/copy
    $ chmod 400 certs/client.<username>.key
    
  3. Create the CSR for the first client using the openssl req command:

    copy
    icon/buttons/copy
    # Create client certificate signing request
    $ openssl req \
    -new \
    -config client.cnf \
    -key certs/client.<username>.key \
    -out client.<username>.csr \
    -batch
    
  4. Sign the client CSR to create the client certificate for the first client using the openssl ca command. You can set the client certificate expiration period using the days flag. We recommend using the CockroachDB default value of the client certificate expiration period, which is 1830 days.

    copy
    icon/buttons/copy
    $ openssl ca \
    -config ca.cnf \
    -keyfile my-safe-directory/ca.key \
    -cert certs/ca.crt \
    -policy signing_policy \
    -extensions signing_client_req \
    -out certs/client.<username>.crt \
    -outdir certs/ \
    -in client.<username>.csr \
    -days 1830 \
    -batch
    
  5. Upload certificates to the first client using your preferred method.

  6. Repeat steps 1 - 5 for each additional client.

  7. Remove the .pem files in the certs directory. These files are unnecessary duplicates of the .crt files that CockroachDB requires.

See Also



Yes No