Create server certificates

Before you can enable server-to-server and client-to-server encryptions using Transport Security Layer (TLS), you need to prepare each node in a YugabyteDB cluster.

Create the server certificates

Create a secure data directory

To generate and store the secure information, such as the root certificate, create a directory, secure-data, in your root directory. After completing the preparation, you will copy this data inti a secure location and then delete this directory.

  1. $ mkdir secure-data

Create temporary node directories

Now create one directory for each node and put all the required data in that directory. This files added to each directory will be copied into the tls-cert directory on each node.

  1. $ mkdir 127.0.0.1/ 127.0.0.2/ 127.0.0.3/

You should now have three directories, named 127.0.0.1, 127.0.0.2, and 127.0.0.3, representing the three nodes of your YugabyteDB cluster.

Create the root configuration file

Create the file root.conf in the yugabyte-tls-config directory with the OpenSSL CA configuration.

  1. $ cat > secure-data/ca.conf

Paste the following example root configuration into the file.

  1. ####################################
  2. # Example CA root configuration file
  3. ####################################
  5. [ ca ]
  6. default_ca = my_ca
  8. [ my_ca ]
  9. # Validity of the signed certificate in days.
  10. default_days = 3650
  12. # Text file with next hex serial number to use.
  13. serial = ./serial.txt
  15. # Text database file to use, initially empty.
  16. database = ./index.txt
  18. # Message digest algorithm. Do not use MD5.
  19. default_md = sha256
  21. # a section with a set of variables corresponding to DN fields
  22. policy = my_policy
  24. [ my_policy ]
  26. # Policy for nodes and users. If the value is "match" then 
  27. # field value must match the same field in the CA certificate.
  28. # If the value is "supplied" then it must be present. Optional
  29. # means it may be present.
  30. organizationName = supplied
  31. commonName = supplied
  33. [req]
  34. prompt=no
  35. distinguished_name = my_distinguished_name
  36. x509_extensions = my_extensions
  38. [ my_distinguished_name ]
  39. organizationName = Yugabyte
  40. commonName = CA for YugabyteDB
  42. [ my_extensions ]
  43. keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
  44. basicConstraints = critical,CA:true,pathlen:1

To save and close the file, enter Ctl+D.

Add required files

Create the index file (index.txt) and database file (serial.txt) by running the following commands.

  1. $ touch index.txt
  2. $ echo '01' > serial.txt

Generate the root key (ca.key)

To generate the root private key file (ca.key) in the secure-data directory, run the following openssl genrsa command.

  1. $ openssl genrsa -out secure-data/ca.key

You should see output like this:

  1. Generating RSA private key, 2048 bit long modulus (2 primes)
  2. ......................+++++
  3. .................+++++
  4. e is 65537 (0x010001)

Change the access permissions of the generated private key to allow read-only privileges by running the chmod command.

  1. $ chmod 400 secure-data/ca.key

Generate the root certificate file

Next, generate the root certificate file (ca.crt) by running the following openssl req command.

  1. $ openssl req -new                      \
  2.             -x509                       \
  3.             -config secure-data/ca.conf \
  4.             -key secure-data/ca.key     \
  5.             -out secure-data/ca.crt

In the secure-data directory, you should now have the following three files:

  • ca.conf - root configuration file
  • ca.key - root key file
  • ca.crt - root certificate file

You can verify the root certificate by running the following openssl x509 command.

  1. $ openssl x509 -in secure-data/ca.crt -text -noout

You should see output similar to this:

  1. Certificate:
  2.     Data:
  3.         Version: 3 (0x2)
  4.         Serial Number:
  5.             61:ca:24:00:c8:40:f3:4d:66:59:80:35:86:ca:b9:6f:98:b1:1c:5e
  6.         Signature Algorithm: sha256WithRSAEncryption
  7.         Issuer: O = Yugabyte, CN = CA for YugabyteDB
  8.         Validity
  9.             Not Before: Feb 14 04:40:56 2020 GMT
  10.             Not After : Mar 15 04:40:56 2020 GMT
  11.         Subject: O = Yugabyte, CN = CA for YugabyteDB
  12.         Subject Public Key Info:
  13.             Public Key Algorithm: rsaEncryption
  14.                 RSA Public-Key: (2048 bit)
  15.                 Modulus:
  16.                     00:c9:8c:20:7d:63:ed:8d:9f:2d:f2:2e:90:34:2c:
  17.                     79:0b:0b:77:2f:4c:88:78:63:28:db:91:6d:c4:21:
  18.                     bd:e2:dd:14:a3:ba:e5:db:4d:b9:34:e8:74:7b:1f:
  19.                     ff:70:a2:8c:0c:f5:df:d4:11:ae:5c:4c:1a:22:94:
  20.                     98:4e:a7:63:ee:44:5b:c6:b7:f0:34:ef:4e:57:1a:
  21.                     30:99:ee:f7:c9:d9:df:e9:af:ab:df:08:e3:69:d9:
  22.                     d4:5d:8e:0c:50:7a:bf:be:7f:f0:7f:e3:20:13:d8:
  23.                     c9:44:21:1f:05:6b:52:d3:77:b8:75:8e:78:c6:60:
  24.                     3c:7e:9a:8a:77:b2:65:da:6c:25:7a:4a:ee:eb:4a:
  25.                     a8:6b:43:79:ea:15:96:8b:3d:03:50:08:a4:2d:76:
  26.                     2f:09:e3:eb:b3:f6:77:17:2a:3e:dc:9b:f8:60:cf:
  27.                     93:f3:84:6a:19:b0:64:4a:0f:47:51:c9:47:0f:20:
  28.                     5d:cd:af:1e:5d:65:36:0f:b0:44:c3:eb:9a:63:44:
  29.                     dd:ac:25:f8:f4:60:6c:9b:72:46:6d:18:c3:94:7d:
  30.                     b5:d9:89:79:e1:39:dd:4f:01:26:b2:da:c1:ac:af:
  31.                     85:d9:cc:a7:02:65:2a:d6:06:47:cc:11:72:cc:d6:
  32.                     92:45:c0:64:43:4c:13:07:d1:6f:38:8e:fe:db:1e:
  33.                     5e:e5
  34.                 Exponent: 65537 (0x10001)
  35.         X509v3 extensions:
  36.             X509v3 Key Usage: critical
  37.                 Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
  38.             X509v3 Basic Constraints: critical
  39.                 CA:TRUE, pathlen:1
  40.     Signature Algorithm: sha256WithRSAEncryption
  41.          9e:d1:41:36:63:78:4b:e4:57:f2:bd:23:c4:4b:e1:64:e8:c0:
  42.          e3:e1:30:c5:2b:dd:b0:c2:99:ca:86:cb:85:70:6f:29:4c:b0:
  43.          3e:ba:76:af:87:22:a3:64:1f:3e:4f:69:74:8b:a3:b3:e0:71:
  44.          12:aa:0b:28:85:0a:45:40:7b:a5:d1:42:cd:51:bc:85:6a:53:
  45.          16:69:89:78:85:bd:46:9d:1a:ca:19:14:de:72:e4:5c:91:51:
  46.          58:99:b5:83:97:a5:63:dc:b9:7a:05:1e:a9:a7:5f:42:e1:12:
  47.          4e:2b:e1:98:e5:31:14:b5:64:5f:66:bc:13:b8:19:ca:9c:ad:
  48.          12:44:f8:21:3b:ef:0d:ca:9b:c4:04:d6:d7:93:d2:83:87:79:
  49.          2a:2d:dc:de:4c:ad:30:cf:10:de:05:24:52:91:31:fd:cc:d6:
  50.          cb:3b:ba:73:8f:ae:0d:97:f0:e4:aa:ca:76:c0:15:3c:80:7d:
  51.          3a:d8:28:3c:91:bc:19:c8:5c:cd:94:49:31:23:ae:08:e5:9a:
  52.          ce:62:6a:53:08:38:6d:0f:b4:fd:e9:66:8c:fb:cd:be:a0:01:
  53.          b4:9d:39:57:58:6c:b3:8e:25:e3:86:24:13:59:d6:a0:d2:f0:
  54.          15:1e:8c:24:44:5b:3a:db:1c:ef:60:70:24:58:df:56:99:aa:
  55.          22:78:12:d6
  56.          ```
  58. ## Copy the root certificate to each node directory
  60. Copy the generated root certificate file (`root.crt`) to all three node directories.

sh$ cp secure-data/ca.crt 127.0.0.1$ cp secure-data/ca.crt 127.0.0.2$ cp secure-data/ca.crt 127.0.0.3

  2. ## Generate key and certificate files for each node
  4. Now you can generate the node key `node.key` and node certificate `node.crt` for each node.
  6. ### Generate configuration for each node
  8. Repeat the steps in this section once for each node.
  9. The IP address of each node is  `<node-ip-address>`
  11. 1. Generate a configuration file (`node.conf`) for a node, using the node's IP address (`<node-ip-address>`) as the directory name.

sh$ cat > /node.conf

  2. 2. Add the following sample configuration content (use as-is, or customize as needed).
  5. Note
  6. Remember to replace the <node-ip-address> entry in the example configuration file below with the IP address for each node.

sh#################################

Example node configuration file

#

[ req ]prompt=nodistinguished_name = my_distinguished_name

[ my_distinguished_name ]organizationName = Yugabyte

Required value for commonName, do not change.

commonName = ```

  • After pasting the content in step 2 and replacing <node-ip-address> with the node IP address, save and close the file by entering Ctl+D.Repeat these three steps for each of the three nodes. You should then have a copy of node.conf in the 127.0.0.1, 127.0.0.2, and 127.0.0.3 directories.

Generate private key files for each node

For each of the three nodes, generate the node private key by running the following command, replacing <node-ip-address> with the node IP address.

NoteFor YugabyteDB to recognize the file, it must be of the format node.<commonName>.key. In this example,you are using the <node-ip-address> for the <commonName>, so the file names should be node.127.0.0.1.key,node.127.0.0.2.key, and node.127.0.0.3.key.

  1. $ openssl genrsa -out <node-ip-address>/node.<node-ip-address>.key
  2. $ chmod 400 <node-ip-address>/node.<node-ip-address>.key

Generate the node certificates

Next, you need to generate the node certificate. This has two steps. First, create the certificate signing request (CSR) for each node, changing <node-ip-address>to the node IP address.

  1. $ openssl req -new \
  2.               -config <node-ip-address>/node.conf \
  3.               -key <node-ip-address>/node.<node-ip-address>.key \
  4.               -out <node-ip-address>/node.csr

Sign each node CSR using the root key (ca.key) and root certificate (ca.crt). Run the following openssl ca command, changing <node-ip-address>to the node IP address.

  1. $ openssl ca -config secure-data/ca.conf \
  2.              -keyfile secure-data/ca.key \
  3.              -cert secure-data/ca.crt \
  4.              -policy my_policy \
  5.              -out <node-ip-address>/node.<node-ip-address>.crt \
  6.              -outdir <node-ip-address>/ \
  7.              -in <node-ip-address>/node.csr \
  8.              -days 3650 \
  9.              -batch

For the 127.0.0.1 node, you should see the following output.

  1. Using configuration from secure-data/ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. The Subject's Distinguished Name is as follows
  5. organizationName      :ASN.1 12:'Yugabyte'
  6. commonName            :ASN.1 12:'127.0.0.1'
  7. Certificate is to be certified until Feb 11 04:53:11 2030 GMT (3650 days)
  9. Write out database with 1 new entries
  10. Data Base Updated

NoteEach node key and certificate should use the node.<commonName>.[crt | key] naming format.

You can verify the signed certificate for each of the nodes by running the following openssl verify command:

  1. $ openssl verify -CAfile secure-data/ca.crt <node-ip-address>/node.<node-ip-address>.crt

You should see the following output, displaying the node IP address:

  1. X.X.X.X/node.X.X.X.X.crt: OK

Copy configuration files to the nodes

The files needed for each node are:

  • ca.crt
  • node.<commonName>.crt (Example: node.127.0.0.1.crt)
  • node.<commonName>.key (Example: node.127.0.0.1.key)

You can remove all other files in the node directories as they are unnecessary.

Upload the necessary information to each target node.

Create the directory that will contain the configuration files.

  1. $ ssh <username>@<node-ip-address> mkdir ~/certs

Copy all the configuration files into the above directory by running the following commands, changing <node-ip-address>to match the node IP address.

  1. $ scp <node-ip-address>/ca.crt <user>@<node-ip-address>:~/certs/<node-ip-address>
  1. $ scp <node-ip-address>/node.<node-ip-address>.crt <user>@<node-ip-address>:~/certs/<node-ip-address>
  1. $ scp <node-ip-address>/node.<node-ip-address>.key <user>@<node-ip-address>:~/certs/<node-ip-address>

You can now delete, or appropriately secure, the directories you created for the nodes on the local machine.