Vertica Analytics Platform Version 9.2.x Documentation

Kafka TLS/SSL Example Part 1: Create the Root CA

This example uses the same self-signed root CA to sign all of the certificates used by the scheduler, Kafka brokers, and Vertica. If you cannot use the same CA to sign the keys for all of these systems, make sure you include the entire chain of trust in your keystores.

The following Linux commands create a self-signed root CA. They are run by the dbadmin user on the Linux command line of one of the Vertica nodes.

  1. Generate a private key named root.key.

    $ openssl genrsa -out root.key
    Generating RSA private key, 2048 bit long modulus
    ..............................................................................
    ............................+++
    ...............+++
    e is 65537 (0x10001)
  2. Generating a self-signed root CA named root.crt.

    $ openssl req -new -x509 -key root.key -out root.crt
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:MA
    Locality Name (eg, city) []:Cambridge
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:*.mycompany.com
    Email Address []:myemail@mycompany.com
    
  3. Change permissions on the files to prevent others from reading the root key, and preventing changes to the root certificate.

    $ ls
    root.crt  root.key
    $ chmod 600 root.key
    $ chmod 644 root.crt