Create Security Certificates

To secure your CockroachDB cluster's inter-node and client-node communication, you need to provide a Certificate Authority (CA) certificate that has been used to sign keys and certificates (SSLs) for:

  • Nodes
  • Clients
  • Admin UI (optional)
    To create these certificates and keys, use the cockroach cert commands with the appropriate subcommands and flags, use openssl commands, or use a custom CA (for example, a public CA or your organizational CA).

Tip:
For details about when and how to change security certificates without restarting nodes, see Rotate Security Certificates.

How security certificates work

  • Using the cockroach cert command, you create a CA certificate and key and then node and client certificates that are signed by the CA certificate. Since you need access to a copy of the CA certificate and key to create node and client certs, it's best to create everything in one place.

  • You then upload the appropriate node certificate and key and the CA certificate to each node, and you upload the appropriate client certificate and key and the CA certificate to each client.

  • When nodes establish contact to each other, and when clients establish contact to nodes, they use the CA certificate to verify each other's identity.

Subcommands

SubcommandUsage
create-caCreate the self-signed certificate authority (CA), which you'll use to create and authenticate certificates for your entire cluster.
create-nodeCreate a certificate and key for a specific node in the cluster. You specify all addresses at which the node can be reached and pass appropriate flags.
create-clientCreate a certificate and key for a specific user accessing the cluster from a client. You specify the username of the user who will use the certificate and pass appropriate flags.
listList certificates and keys found in the certificate directory.

Certificate directory

When using cockroach cert to create node and client certificates, you will need access to a local copy of the CA certificate and key. It is therefore recommended to create all certificates and keys in one place and then distribute node and client certificates and keys appropriately. For the CA key, be sure to store it somewhere safe and keep a backup; if you lose it, you will not be able to add new nodes or clients to your cluster. For a walkthrough of this process, see Manual Deployment.

Required keys and certificates

The create-* subcommands generate the CA certificate and all node and client certificates and keys in a single directory specified by the —certs-dir flag, with the files named as follows:

Node key and certificates

File name patternFile usage
ca.crtCA certificate.
node.crtServer certificate. node.crt must be signed by ca.crt and must have CN=node and the list of IP addresses and DNS names listed in Subject Alternative Name field.
node.keyKey for server certificate.

Client key and certificates

File name patternFile usage
ca.crtCA certificate.
client.<user>.crtClient certificate for <user> (e.g., client.root.crt for user root). Must be signed by ca.crt. Also, client.<username>.crt must have CN=<user> (for example, CN=marc for client.marc.crt)
client.<user>.keyKey for the client certificate.

Optionally, if you have a certificate issued by a public CA to securely access the Admin UI, you need to place the certificate and key (ui.crt and ui.key respectively) in the directory specified by the —certs-dir flag. For more information, refer to Use a UI certificate and key to access the Admin UI.

Note the following:

  • By default, the node.crt is multi-functional, as in the same certificate is used for both incoming connections (from SQL and Admin UI clients, and from other CockroachDB nodes) and for outgoing connections to other CockroachDB nodes. To make this possible, the node.crt created using the cockroach cert command has CN=node and the list of IP addresses and DNS names listed in Subject Alternative Name field.

  • The CA key is never loaded automatically by cockroach commands, so it should be created in a separate directory, identified by the —ca-key flag.

  • Keys (files ending in .key) must not have group or world permissions (maximum permissions are 0700, or rwx———). This check can be disabled by setting the environment variable COCKROACH_SKIP_KEY_PERMISSION_CHECK=true.

Synopsis

  1. # Create the CA certificate and key:
  2. $ cockroach cert create-ca \
  3. --certs-dir=[path-to-certs-directory] \
  4. --ca-key=[path-to-ca-key]
  5. # Create a node certificate and key:
  6. $ cockroach cert create-node \
  7. [node-hostname] \
  8. [node-other-hostname] \
  9. [node-yet-another-hostname] \
  10. --certs-dir=[path-to-certs-directory] \
  11. --ca-key=[path-to-ca-key]
  12. # Create a client certificate and key:
  13. $ cockroach cert create-client \
  14. [username] \
  15. --certs-dir=[path-to-certs-directory] \
  16. --ca-key=[path-to-ca-key]
  17. # List certificates and keys:
  18. $ cockroach cert list \
  19. --certs-dir=[path-to-certs-directory]
  20. # View help:
  21. $ cockroach cert --help
  22. $ cockroach cert create-ca --help
  23. $ cockroach cert create-node --help
  24. $ cockroach cert create-client --help
  25. $ cockroach cert list --help

Flags

The cert command and subcommands support the following general-use and logging flags.

General

FlagDescription
—certs-dirThe path to the certificate directory containing all certificates and keys needed by cockroach commands.This flag is used by all subcommands.Default: ${HOME}/.cockroach-certs/
—ca-keyThe path to the private key protecting the CA certificate. This flag is required for all create- subcommands. When used with create-ca in particular, it defines where to create the CA key; the specified directory must exist.Env Variable: COCKROACH_CA_KEY
—allow-ca-key-reuseWhen running the create-ca subcommand, pass this flag to re-use an existing CA key identified by —ca-key. Otherwise, a new CA key will be generated.This flag is used only by the create-ca subcommand. It helps avoid accidentally re-using an existing CA key.
—overwriteWhen running create- subcommands, pass this flag to allow existing files in the certificate directory (—certs-dir) to be overwritten.This flag helps avoid accidentally overwriting sensitive certificates and keys.
—lifetimeThe lifetime of the certificate, in hours, minutes, and seconds. Certificates are valid from the time they are created through the duration specified in —lifetime.Default: 87840h0m0s (10 years)
—key-sizeThe size of the CA, node, or client key, in bits.Default: 2048
—also-generate-pkcs8-keyNew in v19.1: Also create a key in PKCS#8 format, which is the standard key encoding format used by Java. For example usage, see Build a Java App with CockroachDB.

Logging

By default, the cert command logs errors to stderr.

If you need to troubleshoot this command's behavior, you can change its logging behavior.

Examples

Create the CA certificate and key pair

  • Create two directories:
  1. $ mkdir certs
  1. $ mkdir my-safe-directory
  • certs: You'll generate your CA certificate and all node and client certificates and keys in this directory and then upload some of the files to your nodes.
  • my-safe-directory: You'll generate your CA key in this directory and then reference the key when generating node and client certificates. After that, you'll keep the key safe and secret; you will not upload it to your nodes.
    • Generate the CA certificate and key:
  1. $ cockroach cert create-ca \
  2. --certs-dir=certs \
  3. --ca-key=my-safe-directory/ca.key
  1. $ ls -l certs
  1. total 8
  2. -rw-r--r-- 1 maxroach maxroach 1.1K Jul 10 14:12 ca.crt

Create the certificate and key pairs for nodes

  • Generate the certificate and key for the first node:
  1. $ cockroach cert create-node \
  2. node1.example.com \
  3. node1.another-example.com \
  4. --certs-dir=certs \
  5. --ca-key=my-safe-directory/ca.key
  1. $ ls -l certs
  1. total 24
  2. -rw-r--r-- 1 maxroach maxroach 1.1K Jul 10 14:12 ca.crt
  3. -rw-r--r-- 1 maxroach maxroach 1.2K Jul 10 14:16 node.crt
  4. -rw------- 1 maxroach maxroach 1.6K Jul 10 14:16 node.key
  • Upload certificates to the first node:
  1. # Create the certs directory:
  2. $ ssh <username>@<node1 address> "mkdir certs"
  1. # Upload the CA certificate and node certificate and key:
  2. $ scp certs/ca.crt \
  3. certs/node.crt \
  4. certs/node.key \
  5. <username>@<node1 address>:~/certs
  • Delete the local copy of the first node's certificate and key:
  1. $ rm certs/node.crt certs/node.key

Note:
This is necessary because the certificates and keys for additional nodes will also be named node.crt and node.key As an alternative to deleting these files, you can run the next cockroach cert create-node commands with the —overwrite flag.

  • Create the certificate and key for the second node:
  1. $ cockroach cert create-node \
  2. node2.example.com \
  3. node2.another-example.com \
  4. --certs-dir=certs \
  5. --ca-key=my-safe-directory/ca.key
  1. $ ls -l certs
  1. total 24
  2. -rw-r--r-- 1 maxroach maxroach 1.1K Jul 10 14:12 ca.crt
  3. -rw-r--r-- 1 maxroach maxroach 1.2K Jul 10 14:17 node.crt
  4. -rw------- 1 maxroach maxroach 1.6K Jul 10 14:17 node.key
  • Upload certificates to the second node:
  1. # Create the certs directory:
  2. $ ssh <username>@<node2 address> "mkdir certs"
  1. # Upload the CA certificate and node certificate and key:
  2. $ scp certs/ca.crt \
  3. certs/node.crt \
  4. certs/node.key \
  5. <username>@<node2 address>:~/certs
  • Repeat steps 3 - 5 for each additional node.

Create the certificate and key pair for a client

  1. $ cockroach cert create-client \
  2. maxroach \
  3. --certs-dir=certs \
  4. --ca-key=my-safe-directory/ca.key
  1. $ ls -l certs
  1. total 40
  2. -rw-r--r-- 1 maxroach maxroach 1.1K Jul 10 14:12 ca.crt
  3. -rw-r--r-- 1 maxroach maxroach 1.1K Jul 10 14:13 client.maxroach.crt
  4. -rw------- 1 maxroach maxroach 1.6K Jul 10 14:13 client.maxroach.key
  5. -rw-r--r-- 1 maxroach maxroach 1.2K Jul 10 14:17 node.crt
  6. -rw------- 1 maxroach maxroach 1.6K Jul 10 14:17 node.key

List certificates and keys

  1. $ cockroach cert list \
  2. --certs-dir=certs
  1. Certificate directory: certs
  2. +-----------------------+---------------------+---------------------+------------+--------------------------------------------------------+-------+
  3. | Usage | Certificate File | Key File | Expires | Notes | Error |
  4. +-----------------------+---------------------+---------------------+------------+--------------------------------------------------------+-------+
  5. | Certificate Authority | ca.crt | | 2027/07/18 | num certs: 1 | |
  6. | Node | node.crt | node.key | 2022/07/14 | addresses: node2.example.com,node2.another-example.com | |
  7. | Client | client.maxroach.crt | client.maxroach.key | 2022/07/14 | user: maxroach | |
  8. +-----------------------+---------------------+---------------------+------------+--------------------------------------------------------+-------+
  9. (3 rows)

See also

Was this page helpful?
YesNo