How to Create Private Key and Certificate Files for TLS Connections in Scalar Products
This guide explains how to create private key and certificate files for TLS connections in ScalarDB Cluster and ScalarDL. When you enable the TLS feature, you must prepare private key and certificate files.
Certificate requirements​
- You can use only
RSA
orECDSA
as an algorithm for private key and certificate files.
Example steps to create sample private key and certificate files​
In this example, you'll create sample private key and certificate files by using cfssl
and cfssljson
. If you don't have those tools installed, please install cfssl
and cfssljson
to run this example.
- You can use other tools, like
openssl
, to create the private key and certificate files. Alternatively, you can ask a third-party CA or the administrator of your private CA to create the private key and certificate for your production environment. - This example creates a self-signed certificate. However, it is strongly recommended that these certificates not be used in production. Please ask trusted issuers (a public CA or your private CA) to create certificate files for your production environment based on your security requirements.
-
Create a working directory.
mkdir -p ${HOME}/scalar/example/certs/
-
Change the working directory to
${HOME}/scalar/example/certs/
.cd ${HOME}/scalar/example/certs/
-
Create a JSON file that includes CA information.
cat << 'EOF' > ${HOME}/scalar/example/certs/ca.json
{
"CN": "scalar-example-ca",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "Scalar Example CA"
}
]
}
EOF -
Create the CA private key and certificate files.
cfssl gencert -initca ca.json | cfssljson -bare ca
-
Create a JSON file that includes CA configurations.
cat << 'EOF' > ${HOME}/scalar/example/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"scalar-example-ca": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF -
Create a JSON file that includes server information.
cat << 'EOF' > ${HOME}/scalar/example/certs/server.json
{
"CN": "scalar-example-server",
"hosts": [
"server.scalar.example.com",
"localhost"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "Scalar Example Server"
}
]
}
EOF -
Create the private key and certificate files for the server.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-example-ca server.json | cfssljson -bare server
-
Confirm that the private key and certificate files were created.
ls -1
[Command execution result]
ca-config.json
ca-key.pem
ca.csr
ca.json
ca.pem
server-key.pem
server.csr
server.json
server.pemIn this case:
server-key.pem
is the private key file.server.pem
is the certificate file.ca.pem
is the root CA certificate file.