- .
- .
cockroach cert with the appropriate subcommands and flags, use openssl commands, or use a (for example, a public CA or your organizational CA).
Subcommands
| Subcommand | Usage |
|---|---|
openssl genrsa | Create an RSA private key. |
openssl req | Create CA certificate and CSRs (certificate signing requests). |
openssl ca | Create node and client certificates using the CSRs. |
Configuration files
To useopenssl req and openssl ca subcommands, you need the following configuration files:
| File name pattern | File usage |
|---|---|
ca.cnf | CA configuration file |
node.cnf | Server configuration file |
client.cnf | Client configuration file |
Certificate directory
To create node and client certificates using the OpenSSL commands, you need access to a local copy of the CA certificate and key. We recommend creating all certificates (node, client, and CA certificates), and node and client keys in one place and then distributing them appropriately. Store the CA key somewhere safe and keep a backup; if you lose it, you will not be able to add new nodes or clients to your cluster.Required keys and certificates
Use theopenssl genrsa and openssl req subcommands to create all certificates, and node and client keys in a single directory, with the files named as follows:
Node key and certificates
| File name pattern | File usage |
|---|---|
ca.crt | CA certificate |
node.crt | Server certificate |
node.key | Key for server certificate |
Client key and certificates
| File name pattern | File usage |
|---|---|
ca.crt | CA certificate. |
client.<user>.crt | Client certificate for <user> (for example: client.root.crt for user root). |
client.<user>.key | Key for the client certificate. |
- The CA key should not be uploaded to the nodes and clients, so it should be created in a separate directory.
-
Keys (files ending in
.key) must meet the on macOS, Linux, and other UNIX-like systems.
Examples
Step 1. Create the CA key and certificate pair
-
Create two directories:
certs: Create your CA certificate and all node and client certificates and keys in this directory and then upload the relevant files to the nodes and clients.my-safe-directory: Create your CA key in this directory and then reference the key when generating node and client certificates. After that, keep the key safe and secret; do not upload it to your nodes or clients.
-
Create the
ca.cnffile and copy the following configuration into it. You can set the CA certificate expiration period using thedefault_daysparameter. We recommend using the CockroachDB default value of the CA certificate expiration period, which is 365 days.
The
keyUsage and extendedkeyUsage parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration and you can add additional usages, but do not omit keyUsage and extendedkeyUsage parameters or remove the listed usages.-
Create the CA key using the
openssl genrsacommand: -
Create the CA certificate using the
openssl reqcommand: -
Reset database and index files:
Step 2. Create the certificate and key pairs for nodes
In the following steps, replace the placeholder text in the code with the actual username and node address.-
Create the
node.cnffile for the first node and copy the following configuration into it:
The
subjectAltName parameter is vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the subjectAltName parameter.-
Create the key for the first node using the
openssl genrsacommand: -
Create the CSR for the first node using the
openssl reqcommand: -
Sign the node CSR to create the node certificate for the first node using the
openssl cacommand. -
Verify the values in the
Subject Alternative Namefield in the certificate:Sample output:
Step 3. Create the certificate and key pair for the first user
In the following steps, replace the placeholder text in the code with the actual username.-
Create the
client.cnffile for the first user and copy the following configuration into it:
The
commonName and subjectAltName parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName parameter or modify the subjectAltName parameter.-
Create the key for the first client using the
openssl genrsacommand: -
Create the CSR for the first client using the
openssl reqcommand: -
Sign the client CSR to create the client certificate for the first client using the
openssl cacommand. -
Verify the values in the
CNfield in the certificate:Sample Output:
Step 4. Start a local cluster and connect using a connection URL
-
Start a single-node cluster:
-
In a new terminal window, connect to the cluster using a connection URL:
-
Create a new SQL user:
-
Exit the SQL shell:
Step 5. Create the certificate and key pair for a client
In the following steps, replace the placeholder text in the code with the actual username.-
Edit the
client.cnffile for the client and copy the following configuration into it:
The
commonName parameter is vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration, but do not omit the commonName parameter.-
Create the key for the first client using the
openssl genrsacommand: -
Create the CSR for the first client using the
openssl reqcommand: -
Sign the client CSR to create the client certificate for the first client using the
openssl cacommand. -
Verify the values in the
CNfield in the certificate:Sample output: -
Connect to the SQL client using the client certificate:
.pem files in the certs directory. These files are unnecessary duplicates of the .crt files that CockroachDB requires.
See also
- : Learn about starting a multi-node secure cluster and accessing it from a client.
- : Learn more about the flags you pass when adding a node to a secure cluster

