Generating TLS Certificates and Keys
This page includes examples and sample procedures for generating certificates and keys with CREATE KEY and CREATE CERTIFICATE. To view your keys and certificates, query the CRYPTOGRAPHIC_KEYS and CERTIFICATES system tables.
For more detailed information on creating signed certificates, OpenSSL recommends the OpenSSL Cookbook. You can download this book for free.
For more information on x509 extensions, see the OpenSSL documentation.
Importing Keys and Certificates
You only need to import private keys if you intend to use its associated certificate to sign something, like a message in client-server TLS, or another certificate. That is, you only only need to import keys if its associated certificate is one of the following:
- a client/server certificate
- a CA certificate used to sign other certificates while in Vertica
If you only need your CA certificate to validate other certificates, you do not need to import its private key.
To import a private key:
=> CREATE KEY imported_key TYPE 'RSA' AS '-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----';
To import a CA certificate that only validates other certificates (no private key):
=> CREATE CA CERTIFICATE imported_validating_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----';
To import a CA that can both validate and sign other certificates (private key required)
=> CREATE CA CERTIFICATE imported_signing_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' KEY ca_key;
To import a client/server certificate, you must specify its private key and CA:
=> CREATE CERTIFICATE imported_cert AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' SIGNED BY imported_ca KEY imported_key;
Generating Private Keys
To generate an 2048-bit RSA private key:
=> CREATE KEY new_key TYPE 'RSA' LENGTH 2048;
The subjects of CA certificates must be different from the subjects of the certificates they sign.
Self-Signed CA Certificates
Certificate Authorities (CA) are trusted entities that use their own CA certificates to sign and validate other certificates. This example generates a self-signing root CA.
While self-signed CA certificates are convenient, you should always use a proper certificate authority in a production environment.
- Generate or import a private key.
- Generate and sign the certificate with the private key.
=> CREATE CA CERTIFICATE ca_cert SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica Root CA' VALID FOR days_valid EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica generated root CA cert' KEY ca_key;
Intermediate CA Certificates
In addition to server certificates, CAs can also sign the certificates of other CAs. This process produces an intermediate CA and a chain of trust between the top-level CA and the intermediate CA. These intermediate CAs can then sign other certificates.
Intermediate CA certificates generated with CREATE CERTIFICATE cannot sign other CA certificates.
- Generate or import a private key.
- Generate a CA certificate, specifying its private key and signing CA.
=> CREATE CERTIFICATE intermediate_ca SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica intermediate CA' SIGNED BY ca_cert VALID FOR days_valid KEY intermediate_ca_key;
Server and Client Certificates
The value for the
extendedKeyUsage extension will differ based on your use case:
- Server certificate:
- Server certificate with Internode Encryption enabled:
- Client certificate:
'extendedKeyUsage' = 'serverAuth',
'extendedKeyUsage' = 'serverAuth, clientAuth',
'extendedKeyUsage' = 'clientAuth',
- Generate or import a CA certificate. Since this CA will be used to sign the client/server certificate, if you import your CA certificate, you must also import its private key.
- Generate and sign the certificate with the CA certificate, specifying the correct value for the
extendedKeyUsageextension. For example, to create a server certificate:
=> CREATE CERTIFICATE server_cert SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=common_name /emailAddress=email' SIGNED BY ca_cert EXTENSIONS 'authorityKeyIdentifier' = 'keyid,issuer:always', 'nsCertType' = 'server', 'extendedKeyUsage' = 'serverAuth', 'subjectAltName' = 'DNS.1:alt_hostname,IP:IP_address' KEY server_key;