SSL for all inter-node comms about cockroach HOT 7 CLOSED

I had to figure out the openssl commands for doing this recently. Might as well copy them here for posterity.

rm -f ca.{key,crt} test.{key,csr,crt}
rm -f index.txt* serial* *.pem

# Generate a self-signed CA.
openssl req -x509 -config openssl.cnf -nodes -days 365 \
    -newkey rsa:1024 -subj "/C=US/ST=New York/L=New York/O=Cockroach/CN=Test CA" \
    -extensions v3_ca -keyout ca.key -out ca.crt

# Create the certificate signing requests.
openssl req -config openssl.cnf -nodes -days 365 \
    -newkey rsa:1024 -subj "/C=US/ST=New York/L=env:development/O=Cockroach/OU=test/CN=localhost" \
    -keyout test.key -out test.csr

# Setup the files needed by the CA.
touch index.txt index.txt.attr
echo "01" > serial

# Generate the client and server certificates from the signing
# requests.
openssl ca -batch -config openssl.cnf -cert ca.crt -keyfile ca.key \
    -extensions good_usr_crt -in test.csr -out test.crt

# Remove the files needed by the CA. These don't need to be checked in
# because we'll just recreate them if this script needs to be re-run.
rm -f index.txt* serial* *.pem *.csr ca.key

from cockroach.

Awesome.

On Tue, Jun 3, 2014 at 4:22 PM, Peter Mattis [email protected]
wrote:

I had to figure out the openssl commands for doing this recently. Might as
well copy them here for posterity.

rm -f ca.{key,crt} test.{key,csr,crt}
rm -f index.txt* serial* *.pem
Generate a self-signed CA.

openssl req -x509 -config openssl.cnf -nodes -days 365
-newkey rsa:1024 -subj "/C=US/ST=New York/L=New York/O=Cockroach/CN=Test
CA"
-extensions v3_ca -keyout ca.key -out ca.crt
Create the certificate signing requests.

openssl req -config openssl.cnf -nodes -days 365
-newkey rsa:1024 -subj "/C=US/ST=New
York/L=env:development/O=Cockroach/OU=test/CN=localhost"
-keyout test.key -out test.csr
Setup the files needed by the CA.

touch index.txt index.txt.attr
echo "01" > serial
Generate the client and server certificates from the signing requests.

openssl ca -batch -config openssl.cnf -cert ca.crt -keyfile ca.key
-extensions good_usr_crt -in test.csr -out test.crt
Remove the files needed by the CA. These don't need to be checked in because
we'll just recreate them if this script needs to be re-run.

rm -f index.txt* serial* *.pem *.csr ca.key

—
Reply to this email directly or view it on GitHub
#21 (comment)
.

from cockroach.

FYI go's crypto libraries include key generation stuff as well, so we might be able to do this without shelling out to openssl. I'm not sure which will turn out to be easier.

from cockroach.

We have a Go based client certificate authority here: https://github.com/coreos/etcd-ca and there is this too: https://github.com/cloudflare/cfssl

from cockroach.

Great. Thanks, @philips!

from cockroach.

@mberhault is this still under development or ready to be crossed off the list? (I know there's still endless work associated with this, but perhaps that follow on stuff should get new issues).

from cockroach.

the inter-node part is done. I'll file different issues for client certs (the main chunk of the work left) and key management for nodes.

from cockroach.