Copying Certificates and Keys to Configuration Files

Before using TLS, all hosts in the cluster must copy the contents of their certificates and keys to parameters in vertica.conf. These parameters determine the connection mode, which then determines how hosts and clients verify each other before opening a secure connection.

Vertica offers two connection modes for TLS:

  • In Server Mode, only the client must verify the host's certificate. Hosts must have server.crt and server.key.
  • In Mutual Mode, the client and host must each verify the other’s certificates. Hosts must have server.crt, server.key, and root.crt.

The database does not need to be running when you copy the contents of the certificates and key files to other hosts.

  1. Enable TLS.
  2. Generate TLS Certificates and Keys.
  3. Log on to a host that contains the certificates and keys you want to copy.
  4. To clear any of these parameters, run:

    ALTER DATABASE dbname CLEAR parameter

  5. Run the following commands for your desired configuration. The effects of these parameters only take effect for new connections.
    • To use Server Mode, set the SSLCertificate and SSLPrivateKey parameters.
    • => ALTER DATABASE DEFAULT SSLCertificate = '<content of server.crt>';				
      => ALTER DATABASE DEFAULT SSLPrivateKey = '<content of server.key>';		
    • To use Mutual Mode, in addition to setting the above parameters for Server Mode, set the SSLCA parameter.
      => ALTER DATABASE DEFAULT SET SSLCA = '<content of root.crt>';

      To trust more than one CA:

      '-----BEGIN CERTIFICATE-----first CA-----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----second CA-----END CERTIFICATE-----';