cli: Use unique subjects in cockroach cert create-ca
#121285
Labels
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Comments
bdarnell
added
the
C-enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
cockroach cert create-causes a hard-coded subject ofO=Cockroach,CN=Cockroach CAfor all CA certificates. If theca.crtfile contains the wrong CA certificate but the subject is correct, the Go crypto libraries produce a cryptic error messagecrypto/rsa: verification error. If the subjects didn't match, we'd get a (slightly) better error message ofx509: certificate signed by unknown authority.Describe the solution you'd like
All CA certificates generated by
cockroach certcommands should have unique subjects, probably by adding aUIDfield to the subject containing a UUID.Describe alternatives you've considered
It would also be nice to allow and encourage people to set their own subject instead of just using
O=Cockroach,CN=Cockroach CA,UID=234543...all the time.Jira issue: CRDB-37173
The text was updated successfully, but these errors were encountered: