Generating TLS Certificates and Keys

This page includes examples and sample procedures for generating certificates and keys with CREATE KEY and CREATE CERTIFICATE. To view your keys and certificates, query the CRYPTOGRAPHIC_KEYS and CERTIFICATES system tables.

For more detailed information on creating signed certificates, OpenSSL recommends the OpenSSL Cookbook. You can download this book for free.

For more information on x509 extensions, see the OpenSSL documentation.

Importing Keys and Certificates

Keys

You only need to import private keys if you intend to use its associated certificate to sign something, like a message in client-server TLS, or another certificate. That is, you only only need to import keys if its associated certificate is one of the following:

  • a client/server certificate
  • a CA certificate used to sign other certificates while in Vertica

If you only need your CA certificate to validate other certificates, you do not need to import its private key.

To import a private key:

=> CREATE KEY imported_key TYPE 'RSA' AS '-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----';

Certificates

To import a CA certificate that only validates other certificates (no private key):

=> CREATE CA CERTIFICATE imported_validating_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----';

To import a CA that can both validate and sign other certificates (private key required)

=> CREATE CA CERTIFICATE imported_signing_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
KEY ca_key;

To import a certificate for server mode TLS:

=> CREATE CERTIFICATE server_mode_cert AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' KEY imported_key;

To import a certificate for mutual mode TLS or client authentication, you must specify its CA:

=> CREATE CERTIFICATE imported_cert AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' 
SIGNED BY imported_ca KEY imported_key;

Generating Private Keys

To generate an 2048-bit RSA private key:

=> CREATE KEY new_key TYPE 'RSA' LENGTH 2048;

Generating Certificates

The subjects of CA certificates must be different from the subjects of the certificates they sign.

Self-Signed CA Certificates

Certificate Authorities (CA) are trusted entities that use their own CA certificates to sign and validate other certificates. This example generates a self-signed root CA.

While self-signed CA certificates are convenient, you should always use a proper certificate authority in a production environment.

  1. Generate or import a private key.
  2. Generate and sign the certificate with the private key.
  3. => CREATE CA CERTIFICATE ca_cert
    SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica Root CA'
    VALID FOR days_valid
    EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica generated root CA cert'
    KEY ca_key;

Intermediate CA Certificates

In addition to server certificates, CAs can also sign the certificates of other CAs. This process produces an intermediate CA and a chain of trust between the top-level CA and the intermediate CA. These intermediate CAs can then sign other certificates.

Intermediate CA certificates generated with CREATE CERTIFICATE cannot sign other CA certificates.

  1. Generate or import a private key.
  2. Generate a CA certificate, specifying its private key and signing CA.
=> CREATE CERTIFICATE intermediate_ca
SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica intermediate CA'
SIGNED BY ca_cert
VALID FOR days_valid
KEY intermediate_ca_key;

Server and Client Certificates

CREATE CERTIFICATE generates x509v3 certificates, which allow you to specify extensions to restrict what the certificate can be used for. The value for the extendedKeyUsage extension will differ based on your use case:

  • Server certificate:
  • 'extendedKeyUsage' = 'serverAuth',
  • Server certificate for internode encryption:
  • 'extendedKeyUsage' = 'serverAuth, clientAuth',
  • Client certificate:
  • 'extendedKeyUsage' = 'clientAuth',

The following procedure creates a server certificate with the extension serverAuth and signs it with a self-signed CA certificate:

  1. Generate or import a CA certificate. Because this CA will be used to sign the client/server certificate, if you import your CA certificate, you must also import its private key.
  2. -- generating a self-signed CA certificate
    
    -- generate a key, ca_key
    => CREATE KEY ca_key TYPE 'RSA' LENGTH 2048;
    -- generate the CA certificate and sign it with ca_key
    => CREATE CA CERTIFICATE ca_cert
    SUBJECT '/C=US/ST=MA/L=Cambridge/O=ExampleOrg/OU=ExampleOrgUnit/CN=Vertica Root CA'
    VALID FOR 365
    EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica-generated root CA cert'
    KEY ca_key;
  3. Generate and sign the certificate with the CA certificate, specifying the proper values for your use case for the extendedKeyUsage extension. For example, to create a server certificate:
  4. => CREATE CERTIFICATE server_cert
    SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=common_name
    /emailAddress=email'
    SIGNED BY ca_cert
    EXTENSIONS 'authorityKeyIdentifier' = 'keyid,issuer:always', 'extendedKeyUsage' = 'serverAuth',
               'subjectAltName' = 'DNS.1:alt_hostname,IP:IP_address'
    KEY server_key;