cli: Use unique subjects in cockroach cert create-ca
#121285
Labels
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Is your feature request related to a problem? Please describe.
cockroach cert create-ca
uses a hard-coded subject ofO=Cockroach,CN=Cockroach CA
for all CA certificates. If theca.crt
file contains the wrong CA certificate but the subject is correct, the Go crypto libraries produce a cryptic error messagecrypto/rsa: verification error
. If the subjects didn't match, we'd get a (slightly) better error message ofx509: certificate signed by unknown authority
.Describe the solution you'd like
All CA certificates generated by
cockroach cert
commands should have unique subjects, probably by adding aUID
field to the subject containing a UUID.Describe alternatives you've considered
It would also be nice to allow and encourage people to set their own subject instead of just using
O=Cockroach,CN=Cockroach CA,UID=234543...
all the time.Jira issue: CRDB-37173
The text was updated successfully, but these errors were encountered: