create-client-keys.md
The following steps generate a client key and certificate, and then make them available to the client:
-
Generate the client key:
=> CREATE KEY client_private_key TYPE 'RSA' LENGTH 2048; CREATE KEY
-
Generate the client certificate. Mutual TLS requires that the Common Name (
CN
) in theSUBJECT
specifies a database username:=> CREATE CERTIFICATE client_certificate SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=dbadmin/emailAddress=example@example.com' SIGNED BY ca_certificate EXTENSIONS 'nsComment' = 'Vertica client cert', 'extendedKeyUsage' = 'clientAuth' KEY client_private_key; CREATE CERTIFICATE
-
On the client machine, export the client key and client certificate to the client filesystem. The following commands use the vsql client:
$ vsql -At -c "SELECT key FROM cryptographic_keys WHERE name = 'client_private_key';" -o client_private_key.key $ vsql -At -c "SELECT certificate_text FROM certificates WHERE name = 'client_certificate';" -o client_cert.pem
In the preceding command:
-A
: enables unaligned output.-t
: prevents the command from outputting metadata, such as column names.-c
: instructs the shell to run one command and then exit.-o
: writes the query output to the specified filename.
For details about all vsql command line options, see Command-line options
-
Copy or move the client key and certificate to a location that your client recognizes.
The following commands move the client key and certificate to the hidden directory
~/.client-creds
, and then grants the file owner read and write permissions withchmod
:$ mkdir ~/.client-creds $ mv client_private_key.key ~/.client-creds/client_key.key $ mv client_cert.pem ~/.client-creds/client_cert.pem $ chmod 600 ~/.client-creds/client_key.key ~/.client-creds/client_cert.pem