Create client certificates

Before you can connect to YugabyteDB cluster and use client-to-server encryption to protect your data, you need to create a client certificate. This topic guides you through creating and configuring a client certificate to enable client-to-server encryption when using clients, tools, and APIs to communicate with a YugabyteDB cluster.

Create the client certificates

Create a working directory

To generate and store the secure information, such as the root certificate, create a temporary working directory, client-certs-temp, in your root directory. When you finish creating the required certificate files, you will copy them to the appropriate directories for use in client-to-server encryption.

  1. $ mkdir client-certs-temp

Generate private key

  1. $ openssl genrsa -out client-certs-temp/yugabyte.key

You should see output like this:

  1. Generating RSA private key, 2048 bit long modulus
  2. .......................+++
  3. ...........+++
  4. e is 65537 (0x10001) 65537 (0x010001)

Create signing request

Now you will create a signing request (CSR) and sign it with the root certificate created in Create server certificates.

  1. $ cat > client-certs-temp/yugabyte.conf

Paste in the following node configuration file.

  1. ################################
  2. # Example node configuration file
  3. ################################
  5. [ req ]
  6. prompt=no
  7. distinguished_name = my_distinguished_name
  9. [ my_distinguished_name ]
  10. organizationName = Yugabyte
  11. # Required value for commonName, do not change.
  12. commonName = yugabyte

Sign the CSR with the root certificate.

  1. $ openssl req -new                   \
  2.               -config client-certs-temp/yugabyte.conf \
  3.               -key client-certs-temp/yugabyte.key     \
  4.               -out client-certs-temp/yugabyte.csr

Next run the following command.

  1. $ openssl ca -config secure-data/ca.conf \
  2.              -keyfile secure-data/ca.key \
  3.              -cert secure-data/ca.crt \
  4.              -policy my_policy \
  5.              -out client-certs-temp/yugabyte.crt \
  6.              -outdir client-certs-temp \
  7.              -in client-certs-temp/yugabyte.csr \
  8.              -days 3650                  \
  9.              -batch

You should see output like this:

  1. Using configuration from secure-data/ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. The Subject's Distinguished Name is as follows
  5. organizationName      :ASN.1 12:'Yugabyte'
  6. commonName            :ASN.1 12:'yugabyte'
  7. Certificate is to be certified until Feb 11 07:36:29 2030 GMT (3650 days)
  9. Write out database with 1 new entries
  10. Data Base Updated

Copy required certificate files to .yugabytedb directory

Now, copy the required certificate files to the /tmp/yugabyte directory.

  1. $ mkdir /tmp/yugabyte
  2. $ cp secure-data/ca.crt /tmp/yugabyte/
  3. $ cp client-certs-temp/ysql.* /tmp/yugabyte/

Generate client private key and certificate

Next, generate the client private key (yugabyte.key) and client certificate (yugabyte.crt).

  1. $ openssl genrsa -out ~/.yugabytedb/yugabytedb.key

You should see output similar to this:

  1. Generating RSA private key, 2048 bit long modulus (2 primes)
  2. ............................................................................................+++++
  3. ............................................+++++
  4. e is 65537 (0x010001)

Now change the access permission to read-only.

  1. $ chmod 400 ~/.yugabytedb/yugabytedb.key
  1. $ openssl req -new \
  2.               -key ~/.yugabytedb/yugabytedb.key \
  3.               -out ~/.yugabytedb/yugabytedb.csr \
  4.               -subj '/O=Yugabyte/CN=yugabyte'
  1. $ openssl x509 -req                              \
  2.                -in ~/.yugabytedb/yugabytedb.csr  \
  3.                -CA secure-data/ca.crt            \
  4.                -CAkey secure-data/ca.key         \
  5.                -out ~/.yugabytedb/yugabytedb.crt \
  6.                -CAcreateserial

For the last command, you should see the following:

  1. Signature ok
  2. subject=O = Yugabyte, CN = yugabyte
  3. Getting CA Private Key

You’ve now created the required client certificates for user yugabyte and added the files to the default client certificates directory for ysqlsh (~/.yugabytedb).

What’s next

To learn about how to connect to your encrypted YugabyteDB cluster, see Connect to cluster.