SSL for all inter-node comms

[andybons]

from irc:
the cluster should be able to generate SSL certs (invoke openssl I guess) for internode comms as well as act as a certificate authority to generate certs for client access.
the end goal would be to allow people to set up a cockroach cluster without having to understand any of that stuff, but for larger orgs, they can specify configuration more particularly

[petermattis]

I had to figure out the openssl commands for doing this recently. Might as well copy them here for posterity.

rm -f ca.{key,crt} test.{key,csr,crt}
rm -f index.txt* serial* *.pem

# Generate a self-signed CA.
openssl req -x509 -config openssl.cnf -nodes -days 365 \
    -newkey rsa:1024 -subj "/C=US/ST=New York/L=New York/O=Cockroach/CN=Test CA" \
    -extensions v3_ca -keyout ca.key -out ca.crt

# Create the certificate signing requests.
openssl req -config openssl.cnf -nodes -days 365 \
    -newkey rsa:1024 -subj "/C=US/ST=New York/L=env:development/O=Cockroach/OU=test/CN=localhost" \
    -keyout test.key -out test.csr

# Setup the files needed by the CA.
touch index.txt index.txt.attr
echo "01" > serial

# Generate the client and server certificates from the signing
# requests.
openssl ca -batch -config openssl.cnf -cert ca.crt -keyfile ca.key \
    -extensions good_usr_crt -in test.csr -out test.crt

# Remove the files needed by the CA. These don't need to be checked in
# because we'll just recreate them if this script needs to be re-run.
rm -f index.txt* serial* *.pem *.csr ca.key

[spencerkimball]

Awesome.

On Tue, Jun 3, 2014 at 4:22 PM, Peter Mattis notifications@github.com
wrote:

I had to figure out the openssl commands for doing this recently. Might as
well copy them here for posterity.

rm -f ca.{key,crt} test.{key,csr,crt}
rm -f index.txt* serial* *.pem
Generate a self-signed CA.

openssl req -x509 -config openssl.cnf -nodes -days 365
-newkey rsa:1024 -subj "/C=US/ST=New York/L=New York/O=Cockroach/CN=Test
CA"
-extensions v3_ca -keyout ca.key -out ca.crt
Create the certificate signing requests.

openssl req -config openssl.cnf -nodes -days 365
-newkey rsa:1024 -subj "/C=US/ST=New
York/L=env:development/O=Cockroach/OU=test/CN=localhost"
-keyout test.key -out test.csr
Setup the files needed by the CA.

touch index.txt index.txt.attr
echo "01" > serial
Generate the client and server certificates from the signing requests.

openssl ca -batch -config openssl.cnf -cert ca.crt -keyfile ca.key
-extensions good_usr_crt -in test.csr -out test.crt
Remove the files needed by the CA. These don't need to be checked in because
we'll just recreate them if this script needs to be re-run.

rm -f index.txt* serial* *.pem *.csr ca.key

—
Reply to this email directly or view it on GitHub
#21 (comment)
.

[bdarnell]

FYI go's crypto libraries include key generation stuff as well, so we might be able to do this without shelling out to openssl. I'm not sure which will turn out to be easier.

[philips]

We have a Go based client certificate authority here: https://github.com/coreos/etcd-ca and there is this too: https://github.com/cloudflare/cfssl

[andybons]

Great. Thanks, @philips!

[spencerkimball]

@mberhault is this still under development or ready to be crossed off the list? (I know there's still endless work associated with this, but perhaps that follow on stuff should get new issues).

[mberhault]

the inter-node part is done. I'll file different issues for client certs (the main chunk of the work left) and key management for nodes.