How to Create Private Key and Certificate Files for Scalar Products
This guide explains how to create private key and certificate files for Scalar products.
Private key and certificate files for TLS connections
ScalarDB Cluster and ScalarDL support TLS for each connection. When you enable the TLS feature, you must prepare private key and certificate files.
Certificate requirements
- You can use only
RSAorECDSAas an algorithm for private key and certificate files.
Example steps to create sample private key and certificate files
In this example, you’ll create sample private key and certificate files by using cfssl and cfssljson. If you don’t have those tools installed, please install cfssl and cfssljson to run this example.
Note
- You can use other tools, like
openssl, to create the private key and certificate files. Alternatively, you can ask a third-party CA or the administrator of your private CA to create the private key and certificate for your production environment. - This example creates a self-signed certificate. However, it is strongly recommended that these certificates not be used in production. Please ask trusted issuers (a public CA or your private CA) to create certificate files for your production environment based on your security requirements.
-
Create a working directory.
mkdir -p ${HOME}/scalar/example/certs/ -
Change the working directory to
${HOME}/scalar/example/certs/.cd ${HOME}/scalar/example/certs/ -
Create a JSON file that includes CA information.
cat << 'EOF' > ${HOME}/scalar/example/certs/ca.json { "CN": "scalar-example-ca", "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "JP", "ST": "Tokyo", "L": "Shinjuku", "O": "Scalar Example CA" } ] } EOF -
Create the CA private key and certificate files.
cfssl gencert -initca ca.json | cfssljson -bare ca -
Create a JSON file that includes CA configurations.
cat << 'EOF' > ${HOME}/scalar/example/certs/ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "scalar-example-ca": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth" ] } } } } EOF -
Create a JSON file that includes server information.
cat << 'EOF' > ${HOME}/scalar/example/certs/server.json { "CN": "scalar-example-server", "hosts": [ "server.scalar.example.com", "localhost" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "JP", "ST": "Tokyo", "L": "Shinjuku", "O": "Scalar Example Server" } ] } EOF -
Create the private key and certificate files for the server.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-example-ca server.json | cfssljson -bare server -
Confirm that the private key and certificate files were created.
ls -1[Command execution result]
ca-config.json ca-key.pem ca.csr ca.json ca.pem server-key.pem server.csr server.json server.pemIn this case:
server-key.pemis the private key file.server.pemis the certificate file.ca.pemis the root CA certificate file.
Private key and certificate files for digital-signature authentication (ScalarDL)
ScalarDL has several kinds of authentication methods. If you use digital-signature as an authentication method, you must prepare private key and certificate files. For more details on the authentication method, see ScalarDL Authentication Guide.
Certificate requirements
- You must use
ECDSAas an algorithm of private key and certificate files. - You must use
P-256as a curve parameter. - You must use
SHA256as a hash function.
Example steps to create sample private key and certificate files
You can create sample private key and certificate files by using cfssl and cfssljson. Please install cfssl and cfssljson first if you don’t install them yet.
Note
- You can use other tools, like
openssl, to create the private key and certificate files. Alternatively, you can ask a third-party CA or the administrator of your private CA to create the private key and certificate for your production environment. - This example creates a self-signed certificate. However, it is strongly recommended that these certificates not be used in production. Please ask trusted issuers (a public CA or your private CA) to create certificate files for your production environment based on your security requirements.
-
Create a working directory.
mkdir -p ${HOME}/scalardl/digital-signature/certs/ -
Change the working directory to
${HOME}/scalardl/digital-signature/certs/.cd ${HOME}/scalardl/digital-signature/certs/ -
Create a JSON file that includes CA information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca.json { "CN": "scalardl-example-ca", "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "JP", "ST": "Tokyo", "L": "Shinjuku", "O": "ScalarDL Example CA" } ] } EOF -
Create the CA private key and certificate files.
cfssl gencert -initca ca.json | cfssljson -bare ca -
Create a JSON file that includes CA configurations.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "scalardl-example-ca": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth" ] } } } } EOF -
Create a JSON file that includes client information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/client.json { "CN": "scalardl-client", "hosts": [ "client.scalardl.example.com", "localhost" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "JP", "ST": "Tokyo", "L": "Shinjuku", "O": "ScalarDL Client Example" } ] } EOF -
Create a JSON file that includes ScalarDL Ledger information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ledger.json { "CN": "scalardl-ledger", "hosts": [ "ledger.scalardl.example.com", "localhost" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "JP", "ST": "Tokyo", "L": "Shinjuku", "O": "ScalarDL Ledger Example" } ] } EOF -
Create a JSON file that includes ScalarDL Auditor information.
cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/auditor.json { "CN": "scalardl-auditor", "hosts": [ "auditor.scalardl.example.com", "localhost" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "JP", "ST": "Tokyo", "L": "Shinjuku", "O": "ScalarDL Auditor Example" } ] } EOF -
Create the private key and certificate files for the client.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca client.json | cfssljson -bare client -
Create the private key and certificate files for ScalarDL Ledger.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca ledger.json | cfssljson -bare ledger -
Create the private key and certificate files for ScalarDL Auditor.
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca auditor.json | cfssljson -bare auditor -
Confirm that the private key and certificate files were created.
ls -1[Command execution result]
auditor-key.pem auditor.csr auditor.json auditor.pem ca-config.json ca-key.pem ca.csr ca.json ca.pem client-key.pem client.csr client.json client.pem ledger-key.pem ledger.csr ledger.json ledger.pemIn this case:
client-key.pemis the private key file for the client.client.pemis the certificate file for the client.ledger-key.pemis the private key file for ScalarDL Ledger.ledger.pemis the certificate file for ScalarDL Ledger.auditor-key.pemis the private key file for ScalarDL Auditor.auditor.pemis the certificate file for ScalarDL Auditor.ca.pemis the root CA certificate file.