How to Create Private Key and Certificate Files for Scalar Products
This guide explains how to create private key and certificate files for Scalar products.
Private key and certificate files for TLS connections​
ScalarDB Cluster and ScalarDL support TLS for each connection. When you enable the TLS feature, you must prepare private key and certificate files.
Certificate requirements​
- You can use only
RSA
orECDSA
as an algorithm for private key and certificate files.
Example steps to create sample private key and certificate files​
In this example, you'll create sample private key and certificate files by using cfssl
and cfssljson
. If you don't have those tools installed, please install cfssl
and cfssljson
to run this example.
- You can use other tools, like
openssl
, to create the private key and certificate files. Alternatively, you can ask a third-party CA or the administrator of your private CA to create the private key and certificate for your production environment. - This example creates a self-signed certificate. However, it is strongly recommended that these certificates not be used in production. Please ask trusted issuers (a public CA or your private CA) to create certificate files for your production environment based on your security requirements.
-
Create a working directory.
mkdir -p ${HOME}/scalar/example/certs/
-
Change the working directory to
${HOME}/scalar/example/certs/
.cd ${HOME}/scalar/example/certs/
-
Create a JSON file that includes CA information.
cat << 'EOF' > ${HOME}/scalar/example/certs/ca.json
{
"CN": "scalar-example-ca",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "Scalar Example CA"
}
]
}
EOF -
Create the CA private key and certificate files.
cfssl gencert -initca ca.json | cfssljson -bare ca
-
Create a JSON file that includes CA configurations.
cat << 'EOF' > ${HOME}/scalar/example/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"scalar-example-ca": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF -
Create a JSON file that includes server information.
cat << 'EOF' > ${HOME}/scalar/example/certs/server.json
{
"CN": "scalar-example-server",
"hosts": [
"server.scalar.example.com",
"localhost"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "Scalar Example Server"
}
]
}
EOF -
Create the private key and certificate files for the server.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-example-ca server.json | cfssljson -bare server
-
Confirm that the private key and certificate files were created.
ls -1
[Command execution result]
ca-config.json
ca-key.pem
ca.csr
ca.json
ca.pem
server-key.pem
server.csr
server.json
server.pemIn this case:
server-key.pem
is the private key file.server.pem
is the certificate file.ca.pem
is the root CA certificate file.
Private key and certificate files for digital-signature
authentication (ScalarDL)​
ScalarDL has several kinds of authentication methods. If you use digital-signature
as an authentication method, you must prepare private key and certificate files. For more details on the authentication method, see ScalarDL Authentication Guide.
Certificate requirements​
- You must use
ECDSA
as an algorithm of private key and certificate files. - You must use
P-256
as a curve parameter. - You must use
SHA256
as a hash function.
Example steps to create sample private key and certificate files​
You can create sample private key and certificate files by using cfssl
and cfssljson
. Please install cfssl
and cfssljson
first if you don't install them yet.
- You can use other tools, like
openssl
, to create the private key and certificate files. Alternatively, you can ask a third-party CA or the administrator of your private CA to create the private key and certificate for your production environment. - This example creates a self-signed certificate. However, it is strongly recommended that these certificates not be used in production. Please ask trusted issuers (a public CA or your private CA) to create certificate files for your production environment based on your security requirements.
-
Create a working directory.
mkdir -p ${HOME}/scalardl/digital-signature/certs/
-
Change the working directory to
${HOME}/scalardl/digital-signature/certs/
.cd ${HOME}/scalardl/digital-signature/certs/
-
Create a JSON file that includes CA information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca.json
{
"CN": "scalardl-example-ca",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "ScalarDL Example CA"
}
]
}
EOF -
Create the CA private key and certificate files.
cfssl gencert -initca ca.json | cfssljson -bare ca
-
Create a JSON file that includes CA configurations.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"scalardl-example-ca": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF -
Create a JSON file that includes client information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/client.json
{
"CN": "scalardl-client",
"hosts": [
"client.scalardl.example.com",
"localhost"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "ScalarDL Client Example"
}
]
}
EOF -
Create a JSON file that includes ScalarDL Ledger information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ledger.json
{
"CN": "scalardl-ledger",
"hosts": [
"ledger.scalardl.example.com",
"localhost"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "ScalarDL Ledger Example"
}
]
}
EOF -
Create a JSON file that includes ScalarDL Auditor information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/auditor.json
{
"CN": "scalardl-auditor",
"hosts": [
"auditor.scalardl.example.com",
"localhost"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "JP",
"ST": "Tokyo",
"L": "Shinjuku",
"O": "ScalarDL Auditor Example"
}
]
}
EOF -
Create the private key and certificate files for the client.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca client.json | cfssljson -bare client
-
Create the private key and certificate files for ScalarDL Ledger.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca ledger.json | cfssljson -bare ledger
-
Create the private key and certificate files for ScalarDL Auditor.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca auditor.json | cfssljson -bare auditor
-
Confirm that the private key and certificate files were created.
ls -1
[Command execution result]
auditor-key.pem
auditor.csr
auditor.json
auditor.pem
ca-config.json
ca-key.pem
ca.csr
ca.json
ca.pem
client-key.pem
client.csr
client.json
client.pem
ledger-key.pem
ledger.csr
ledger.json
ledger.pemIn this case:
client-key.pem
is the private key file for the client.client.pem
is the certificate file for the client.ledger-key.pem
is the private key file for ScalarDL Ledger.ledger.pem
is the certificate file for ScalarDL Ledger.auditor-key.pem
is the private key file for ScalarDL Auditor.auditor.pem
is the certificate file for ScalarDL Auditor.ca.pem
is the root CA certificate file.