Generating TLS certificates and keys
This page includes examples and sample procedures for generating certificates and keys with CREATE KEY and CREATE CERTIFICATE. To view your keys and certificates, query the CRYPTOGRAPHIC_KEYS and CERTIFICATES system tables.
For more detailed information on creating signed certificates, OpenSSL recommends the OpenSSL Cookbook.
For more information on x509 extensions, see the OpenSSL documentation.
Importing keys and certificates
Keys
You only need to import private keys if you intend to use its associated certificate to sign something, like a message in client-server TLS, or another certificate. That is, you only only need to import keys if its associated certificate is one of the following:
-
Client/server certificate
-
CA certificate used to sign other certificates while in Vertica
If you only need your CA certificate to validate other certificates, you do not need to import its private key.
To import a private key:
=> CREATE KEY imported_key TYPE 'RSA' AS '-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----';
Certificates
To import a CA certificate that only validates other certificates (no private key):
=> CREATE CA CERTIFICATE imported_validating_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----';
To import a CA that can both validate and sign other certificates (private key required):
=> CREATE CA CERTIFICATE imported_signing_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
KEY ca_key;
To import a certificate for server mode TLS:
=> CREATE CERTIFICATE server_mode_cert AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' KEY imported_key;
To import a certificate for mutual mode TLS or client authentication, you must specify its CA:
=> CREATE CERTIFICATE imported_cert AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
SIGNED BY imported_ca KEY imported_key;
Generating private keys and certificates
Keys
To generate an 2048-bit RSA private key:
=> CREATE KEY new_key TYPE 'RSA' LENGTH 2048;
Self-signed CA certificates
Note
The subjects of CA certificates must be different from the subjects of the certificates they sign.CAs are trusted entities that use their CA certificates to sign and validate other certificates. The example that follows generates a self-signed root CA:
Important
While self-signed CA certificates are convenient, you should always use a proper certificate authority in a production environment.-
Generate or import a private key:
=> CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
-
Generate and sign the certificate with the private key using the following format:
=> CREATE CA CERTIFICATE certificate_name SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica Root CA' VALID FOR days_valid EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica generated root CA cert' KEY ca_key;
For example:=> CREATE CA CERTIFICATE SSCA_cert SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA' VALID FOR 3650 EXTENSIONS 'nsComment' = 'Self-signed root CA cert' KEY SSCA_key;
Intermediate CA certificates
In addition to server certificates, CAs can also sign the certificates of other CAs. This process produces an intermediate CA and a chain of trust between the top-level CA and the intermediate CA. These intermediate CAs can then sign other certificates.
Note
Intermediate CA certificates generated with CREATE CERTIFICATE cannot sign other CA certificates.-
Generate or import the CA that signs the intermediate CA. The example that follows generates and uses a self-signed root CA:
=> CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
=> CREATE CA CERTIFICATE SSCA_cert SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA' VALID FOR 3650 EXTENSIONS 'nsComment' = 'Self-signed root CA cert' KEY SSCA_key;
-
Generate or import a private key:
=> CREATE KEY intermediate_key TYPE 'RSA' LENGTH 2048;
-
Generate the intermediate CA certificate, specifying its private key and signing CA using the following format:
=> CREATE CERTIFICATE intermediate_certificate_name SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica intermediate CA' SIGNED BY ca_name KEY intermediate_key;
For example:=> CREATE CA CERTIFICATE intermediate_CA SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=Vertica Intermediate CA' SIGNED BY SSCA_cert KEY intermediate_key;
Client/server certificates
CREATE CERTIFICATE generates x509v3 certificates, which allow you to specify extensions to restrict how the certificate can be used. The value for the extendedKeyUsage
extension will differ based on your use case:
-
Server certificate:
'extendedKeyUsage' = 'serverAuth'
-
Client certificate:
'extendedKeyUsage' = 'clientAuth'
-
Server certificate for internode encryption:
'extendedKeyUsage' = 'serverAuth, clientAuth'
Because these certificates are used for client/server TLS, you must import or generate their private keys.
The following example certificates are all signed by this self-signed CA certificate:
=> CREATE KEY SSCA_key TYPE 'RSA' LENGTH 2048;
=> CREATE CA CERTIFICATE SSCA_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=Vertica Root CA'
VALID FOR 3650
EXTENSIONS 'nsComment' = 'Self-signed root CA cert'
KEY SSCA_key;
To generate a server certificate:
=> CREATE KEY server_key TYPE 'RSA' LENGTH 2048;
=> CREATE CERTIFICATE server_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=Vertica server/emailAddress=example@example.com'
SIGNED BY SSCA_cert
EXTENSIONS 'nsComment' = 'Vertica server cert', 'extendedKeyUsage' = 'serverAuth'
KEY server_key;
To generate a client certificate:
=> CREATE KEY client_key TYPE 'RSA' LENGTH 2048;
=> CREATE CERTIFICATE client_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=OpenText/OU=Vertica/CN=Vertica client/emailAddress=clientexample@example.com'
SIGNED BY SSCA_cert
EXTENSIONS 'nsComment' = 'Vertica client cert', 'extendedKeyUsage' = 'clientAuth'
KEY client_key;
To generate an internode TLS certificate:
=> CREATE KEY internode_key TYPE 'RSA' LENGTH 2048;
=> CREATE CERTIFICATE internode_cert
SUBJECT '/C=US/ST=Massachusetts/L=Cambridge/O=Micro Focus/OU=Vertica/CN=data channel'
SIGNED BY SSCA_cert
EXTENSIONS 'nsComment' = 'Vertica internode cert', 'extendedKeyUsage' = 'serverAuth, clientAuth'
KEY internode_key;