From f0ab4abb18ba72abe875fcef0db8160e6f34576e Mon Sep 17 00:00:00 2001 From: yikeke Date: Fri, 5 Jun 2020 15:48:39 +0800 Subject: [PATCH 1/3] Update generate-self-signed-certificates.md --- generate-self-signed-certificates.md | 246 +++++++++++++++------------ 1 file changed, 133 insertions(+), 113 deletions(-) diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index 0abf109a2a736..990cbb1ad0d49 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -1,156 +1,176 @@ --- title: Generate Self-signed Certificates -summary: Use `cfssl` to generate self-signed certificates. +summary: Use `openssl` to generate self-signed certificates. category: how-to aliases: ['/docs/dev/how-to/secure/generate-self-signed-certificates/'] --- # Generate Self-signed Certificates -## Overview - -This document describes how to generate self-signed certificates using `cfssl`. +This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. Assume that the topology of the instance cluster is as follows: -| Name | Host IP | Services | -| ----- | ----------- | ---------- | -| node1 | 172.16.10.1 | PD1, TiDB1 | -| node2 | 172.16.10.2 | PD2, TiDB2 | -| node3 | 172.16.10.3 | PD3 | -| node4 | 172.16.10.4 | TiKV1 | -| node5 | 172.16.10.5 | TiKV2 | -| node6 | 172.16.10.6 | TiKV3 | +| Name | Host IP | Services | +| ----- | ----------- | ---------- | +| node1 | 172.16.10.11 | PD1, TiDB1 | +| node2 | 172.16.10.12 | PD2 | +| node3 | 172.16.10.13 | PD3 | +| node4 | 172.16.10.14 | TiKV1 | +| node5 | 172.16.10.15 | TiKV2 | +| node6 | 172.16.10.16 | TiKV3 | + +## Install OpenSSL -## Download `cfssl` +For Debian or Ubuntu OS: -Assume that the host is x86_64 Linux: +{{< copyable "shell-regular" >}} ```bash -mkdir ~/bin -curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -chmod +x ~/bin/{cfssl,cfssljson} -export PATH=$PATH:~/bin +apt install openssl ``` -## Initialize the certificate authority +For RedHat or CentOS OS: -To make it easy for modification later, generate the default configuration of `cfssl`: +{{< copyable "shell-regular" >}} ```bash -mkdir ~/cfssl -cd ~/cfssl -cfssl print-defaults config > ca-config.json -cfssl print-defaults csr > ca-csr.json +yum install openssl ``` -## Generate certificates +You can also refer to OpenSSL's official [download document](https://www.openssl.org/source/) for installation. + +## Generate the CA certificate + +A certificate authority (CA) is a trusted entity that issues digital certificates. In practice, contact your administrator to issue the certificate or use a trusted CA. CA manages multiple certificate pairs. Here you only need to generate an original pair of certificates as follows. + +1. Generate root key: + + {{< copyable "shell-regular" >}} + + ```bash + openssl genrsa -out root.key 4096 + ``` + +2. Generate root certificates: + + {{< copyable "shell-regular" >}} + + ```bash + openssl req -new -x509 -days 1000 -key root.key -out root.crt + ``` + +3. Validate root certificates: + + {{< copyable "shell-regular" >}} -### Certificates description + ```bash + openssl x509 -text -in root.crt -noout + ``` + +## Issue certificates for individual components + +### Certificates that may be used in the cluster - tidb-server certificate: used by TiDB to authenticate TiDB for other components and clients - tikv-server certificate: used by TiKV to authenticate TiKV for other components and clients - pd-server certificate: used by PD to authenticate PD for other components and clients -- client certificate: used to authenticate the clients from PD, TiKV and TiDB, such as `pd-ctl`, `tikv-ctl` and `pd-recover` - -### Configure the CA option - -Edit `ca-config.json` according to your need: - -```json -{ - "signing": { - "default": { - "expiry": "43800h" - }, - "profiles": { - "server": { - "expiry": "43800h", - "usages": [ - "signing", - "key encipherment", - "server auth", - "client auth" - ] - }, - "client": { - "expiry": "43800h", - "usages": [ - "signing", - "key encipherment", - "client auth" - ] - } - } - } -} -``` +- client certificate: used to authenticate the clients from PD, TiKV and TiDB, such as `pd-ctl`, `tikv-ctl` -Edit `ca-csr.json` according to your need: - -```json -{ - "CN": "My own CA", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "CN", - "L": "Beijing", - "O": "PingCAP", - "ST": "Beijing" - } - ] -} -``` +### Issue certificates to TiKV instances -### Generate the CA certificate +To issue a certificate to a TiKV instance, the steps are as follows: -```bash -cfssl gencert -initca ca-csr.json | cfssljson -bare ca - -``` +1. Generate the private key corresponding to the certificate: -The command above generates the following files: + {{< copyable "shell-regular" >}} -```bash -ca-key.pem -ca.csr -ca.pem -``` + ```bash + openssl genrsa -out tikv.key 2048 + ``` -### Generate the server certificate +2. Make a copy of the OpenSSL configuration template file (Refer to the actual location of your template file because it may have more than one location): -The IP address of all components and `127.0.0.1` are included in `hostname`. + {{< copyable "shell-regular" >}} -```bash -echo '{"CN":"tidb-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="172.16.10.1,172.16.10.2,127.0.0.1" - | cfssljson -bare tidb-server + ```bash + cp /usr/lib/ssl/openssl.cnf . + ``` -echo '{"CN":"tikv-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="172.16.10.4,172.16.10.5,172.16.10.6,127.0.0.1" - | cfssljson -bare tikv-server + If you do not know the actual location, look for it in the root directory: -echo '{"CN":"pd-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="172.16.10.1,172.16.10.2,172.16.10.3,127.0.0.1" - | cfssljson -bare pd-server -``` + ```bash + find / -name openssl.cnf + ``` -The command above generates the following files: +3. Edit `openssl.cnf`, add `req_extensions = v3_req` under the `[ req ]` field, and add `subjectAltName = @alt_names` under the `[ v3_req ]` field. Finally, create a new field and edit the information of SAN. -```Bash -tidb-server-key.pem tikv-server-key.pem pd-server-key.pem -tidb-server.csr tikv-server.csr pd-server.csr -tidb-server.pem tikv-server.pem pd-server.pem -``` + ``` + [ alt_names ] + IP.1 = 127.0.0.1 + IP.2 = 172.16.10.14 + IP.3 = 172.16.10.15 + IP.4 = 172.16.10.16 + ``` -### Generate the client certificate +4. Save the `openssl.cnf` file, and generate the certificate request file (in this step, you can also assign a Common Name to the certificate, which is used to allow the server to validate the identity of the client. Each component does not enable the validation by default, and you can enable it in the configuration file): -```bash -echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client -hostname="" - | cfssljson -bare client -``` + {{< copyable "shell-regular" >}} -The command above generates the following files: + ```bash + openssl req -new -key tikv.key -out tikv.csr -config openssl.cnf + ``` -```bash -client-key.pem -client.csr -client.pem -``` +5. Issue and generate the certificate: + + {{< copyable "shell-regular" >}} + + ```bash + openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in tikv.csr -out tikv.crt -extensions v3_req -extfile openssl.cnf + ``` + +6. Verify that the certificate includes the SAN field (optional): + + {{< copyable "shell-regular" >}} + + ```bash + openssl x509 -text -in tikv.crt -noout + ``` + +7. Confirm that the following files occur in your current directory: + + ``` + root.crt + tikv.crt + tikv.key + ``` + +The process of issuing certificates for other TiDB components is similar and will not be repeated in this document. + +### Issue certificates for clients + +To issue a certificate to a client, the steps are as follows: + +1. Generate the private key corresponding to the certificate: + + {{< copyable "shell-regular" >}} + + ```bash + openssl genrsa -out client.key 2048 + ``` + +2. Generate the certificate request file (in this step, you can also assign a Common Name to the certificate, which is used to allow the server to validate the identity of the client. Each component does not enable the validation by default, and you can enable it in the configuration file): + + {{< copyable "shell-regular" >}} + + ```bash + openssl req -new -key client.key -out client.csr + ``` + +3. Issue and generate the certificate: + + {{< copyable "shell-regular" >}} + + ```bash + openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in client.csr -out client.crt + ``` From 868cfd96f401b577a9f008a0110a6cf5cc68e032 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Tue, 9 Jun 2020 13:39:01 +0800 Subject: [PATCH 2/3] Optimize indentation --- generate-self-signed-certificates.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index 990cbb1ad0d49..e3c665d287c0f 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -22,21 +22,21 @@ Assume that the topology of the instance cluster is as follows: ## Install OpenSSL -For Debian or Ubuntu OS: +- For Debian or Ubuntu OS: -{{< copyable "shell-regular" >}} + {{< copyable "shell-regular" >}} -```bash -apt install openssl -``` + ```bash + apt install openssl + ``` -For RedHat or CentOS OS: +- For RedHat or CentOS OS: -{{< copyable "shell-regular" >}} + {{< copyable "shell-regular" >}} -```bash -yum install openssl -``` + ```bash + yum install openssl + ``` You can also refer to OpenSSL's official [download document](https://www.openssl.org/source/) for installation. From de6ea7f13a91e23f12f195cf51c7bcc5e62e616b Mon Sep 17 00:00:00 2001 From: Keke Yi <40977455+yikeke@users.noreply.github.com> Date: Tue, 9 Jun 2020 13:58:50 +0800 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Lilian Lee --- generate-self-signed-certificates.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index e3c665d287c0f..e993bc4fac0ab 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -44,7 +44,7 @@ You can also refer to OpenSSL's official [download document](https://www.openssl A certificate authority (CA) is a trusted entity that issues digital certificates. In practice, contact your administrator to issue the certificate or use a trusted CA. CA manages multiple certificate pairs. Here you only need to generate an original pair of certificates as follows. -1. Generate root key: +1. Generate the root key: {{< copyable "shell-regular" >}} @@ -70,7 +70,9 @@ A certificate authority (CA) is a trusted entity that issues digital certificate ## Issue certificates for individual components -### Certificates that may be used in the cluster +This section describes how to issue certificates for individual components. + +### Certificates that might be used in the cluster - tidb-server certificate: used by TiDB to authenticate TiDB for other components and clients - tikv-server certificate: used by TiKV to authenticate TiKV for other components and clients @@ -79,7 +81,7 @@ A certificate authority (CA) is a trusted entity that issues digital certificate ### Issue certificates to TiKV instances -To issue a certificate to a TiKV instance, the steps are as follows: +To issue a certificate to a TiKV instance, perform the following steps: 1. Generate the private key corresponding to the certificate: @@ -89,7 +91,7 @@ To issue a certificate to a TiKV instance, the steps are as follows: openssl genrsa -out tikv.key 2048 ``` -2. Make a copy of the OpenSSL configuration template file (Refer to the actual location of your template file because it may have more than one location): +2. Make a copy of the OpenSSL configuration template file (Refer to the actual location of your template file because it might have more than one location): {{< copyable "shell-regular" >}} @@ -137,7 +139,7 @@ To issue a certificate to a TiKV instance, the steps are as follows: openssl x509 -text -in tikv.crt -noout ``` -7. Confirm that the following files occur in your current directory: +7. Confirm that the following files exist in your current directory: ``` root.crt @@ -149,7 +151,7 @@ The process of issuing certificates for other TiDB components is similar and wil ### Issue certificates for clients -To issue a certificate to a client, the steps are as follows: +To issue a certificate to a client, perform the following steps: 1. Generate the private key corresponding to the certificate: