So @Baur - here’s every command and the outputs, step-by-step.
The steps are done one three different machines:
- Stockholm (FQDN
crate-sthlm-01.my.domain
, IP X.X.X.X
), master
- Falkenberg (FQDN
crate-falk-01.my.domain
, IP Y.Y.Y.Y
)
- My computer (as authority)
1. Stockholm - Set up keystore
1.1. Create keystore & generate private key
$ keytool -keystore keystore -genkey -keyalg RSA -alias private_key -validity 36500
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: crate-sthlm-01.my.domain
What is the name of your organizational unit?
[Unknown]: My Company
What is the name of your organization?
[Unknown]: My Company, Ltd.
What is the name of your City or Locality?
[Unknown]: Stockholm
What is the name of your State or Province?
[Unknown]: Stockholm
What is the two-letter country code for this unit?
[Unknown]: SE
Is CN=crate-sthlm-01.my.domain, OU=My Company, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 36,500 days
for: CN=crate-sthlm-01.my.domain, OU=My Company, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE
1.2. Generate signing request (CSR)
$ keytool -keystore keystore -certreq -alias private_key -keyalg RSA -file crate-sthlm-01.csr
Enter keystore password:
2. Falkenberg - Set up keystore
2.1. Create keystore & generate private key
$ keytool -keystore keystore -genkey -keyalg RSA -alias private_key -validity 36500
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: crate-falk-01.my.domain
What is the name of your organizational unit?
[Unknown]: My Company
What is the name of your organization?
[Unknown]: My Company, Ltd.
What is the name of your City or Locality?
[Unknown]: Stockholm
What is the name of your State or Province?
[Unknown]: Stockholm
What is the two-letter country code for this unit?
[Unknown]: SE
Is CN=crate-falk-01.my.domain, OU=My Company, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 36,500 days
for: CN=crate-falk-01.my.domain, OU=My Company, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE
2.2. Generate signing request (CSR)
$ keytool -keystore keystore -certreq -alias private_key -keyalg RSA -file crate-falk-01.csr
Enter keystore password:
3. My computer - Root CA setup
3.1. Generate root CA
$ openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 \
-keyout rootCA.key -out rootCA.crt
Generating a 2048 bit RSA private key
..............+++
.......................+++
writing new private key to 'rootCA.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:SE
State or Province Name (full name) []:Stockholm
Locality Name (eg, city) []:Stockholm
Organization Name (eg, company) []:My Company, Ltd.
Organizational Unit Name (eg, section) []:Headquarters
Common Name (eg, fully qualified host name) []:*.my.domain
Email Address []:info@my.domain
3.2. Check content of extension file
$ cat ssl.cnf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = crate-sthlm-01.my.domain
DNS.2 = crate-falk-01.my.domain
IP.1 = X.X.X.X
IP.2 = Y.Y.Y.Y
4. My computer - Sign certificate for Stockholm
4.1. Download Stockholm CSR
$ scp ivar@crate-sthlm-01.my.domain:/home/crate/crate-sthlm-01.csr .
crate-sthlm-01.csr 100% 1147 246.0KB/s 00:00
4.2. Generate certificate for Stockholm
$ openssl x509 -req -in crate-sthlm-01.csr -CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out crate-sthlm-01.crt -sha256 -days 36500 -extfile ssl.cnf
Signature ok
subject=/C=SE/ST=Stockholm/L=Stockholm/O=My Company, Ltd./OU=My Company/CN=crate-sthlm-01.my.domain
Getting CA Private Key
4.3. Upload certificate to Stockholm
$ scp crate-sthlm-01.crt ivar@crate-sthlm-01.my.domain:~
crate-sthlm-01.crt 100% 1765 505.8KB/s 00:00
4.4. Upload root CA certificate to Stockholm
$ scp rootCA.crt ivar@crate-sthlm-01.my.domain:~
rootCA.crt 100% 1371 347.0KB/s 00:00
5. My computer - Sign certificate for Falkenberg
5.1. Download Falkenberg CSR
$ scp ivar@crate-falk-01.my.domain:/home/crate/crate-falk-01.csr .
crate-falk-01.csr 100% 1147 73.6KB/s 00:00
5.2. Generate certificate for Falkenberg
$ openssl x509 -req -in crate-falk-01.csr -CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out crate-falk-01.crt -sha256 -days 36500 -extfile ssl.cnf
Signature ok
subject=/C=SE/ST=Stockholm/L=Stockholm/O=My Company, Ltd./OU=My Company/CN=crate-falk-01.my.domain
Getting CA Private Key
5.3. Upload certificate to Falkenberg
$ scp crate-falk-01.crt ivar@crate-falk-01.my.domain:~
crate-falk-01.crt 100% 1761 109.1KB/s 00:00
5.4. Upload root CA to Falkenberg
$ scp rootCA.crt ivar@crate-falk-01.my.domain:~
rootCA.crt 100% 1371 84.8KB/s 00:00
6. Stockholm - Import certificates
6.1. Move certificates to correct directory and set correct permissions
$ mv /home/ivar/*.crt . && chown crate:crate * && chmod 400 *
6.2. Check files
$ ls -l
total 16
-r-------- 1 crate crate 1765 Jun 2 08:44 crate-sthlm-01.crt
-r-------- 1 crate crate 1147 Jun 2 08:17 crate-sthlm-01.csr
-r-------- 1 crate crate 2834 Jun 2 08:14 keystore
-r-------- 1 crate crate 1371 Jun 2 08:46 rootCA.crt
6.3. Import root CA certificate
$ keytool -import -keystore keystore -file rootCA.crt -alias root_ca
Enter keystore password:
Owner: EMAILADDRESS=info@my.domain, CN=*.my.domain, OU=Headquarters, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE
Issuer: EMAILADDRESS=info@my.domain, CN=*.my.domain, OU=Headquarters, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE
Serial number: 808d1c8e2da5a10f
Valid from: Thu Jun 02 08:37:54 UTC 2022 until: Sat May 09 08:37:54 UTC 2122
Certificate fingerprints:
SHA1: A0:6B:FC:21:9A:30:05:38:61:C3:B1:57:70:5A:30:49:1E:D7:6C:4C
SHA256: 55:87:C7:29:AE:34:E2:7E:5C:13:6A:23:A4:66:86:B2:78:A6:FF:8B:0B:2B:6D:DC:49:32:15:FF:64:AD:95:C8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
6.4. Import signed certificate
$ keytool -import -keystore keystore -file crate-sthlm-01.crt -alias cert
Enter keystore password:
Certificate was added to keystore
6.5. Check keystore content
$ keytool -keystore keystore -list
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 3 entries
cert, Jun 2, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 22:A9:8E:3E:38:E6:9C:F3:8F:4F:22:7C:10:73:AF:B5:06:E7:5C:40:FD:85:49:8B:E9:A4:F6:97:E7:C9:A3:02
private_key, Jun 2, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): A8:B2:37:7F:88:26:EC:6D:85:AA:A1:F0:43:46:6E:31:1E:2C:80:01:27:24:FD:C9:8B:4F:24:E2:8F:A8:80:E1
root_ca, Jun 2, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 55:87:C7:29:AE:34:E2:7E:5C:13:6A:23:A4:66:86:B2:78:A6:FF:8B:0B:2B:6D:DC:49:32:15:FF:64:AD:95:C8
6.6. Check SSL config
$ cat /etc/crate/crate.yml
[...]
# Enable encrypted communication for the HTTP endpoints:
ssl.http.enabled: true
# Enable encrypted communication for the PostgreSQL wire protocol:
#ssl.psql.enabled: true
ssl.transport.mode: on
# The full path to the node keystore file
ssl.keystore_filepath: /home/crate/keystore
# The password used to decrypt the keystore_file.jks
ssl.keystore_password: my_password
# The password entered at the end of the keytool -genkey command if different
# than the keystore_password.
ssl.keystore_key_password: my_password
# Optional configuration for truststore
# The full path to the node truststore file
#ssl.truststore_filepath:
# The password used to decrypt the truststore_file.jks
#ssl.truststore_password:
# The frequency at which SSL files are monitored for changes
ssl.resource_poll_interval: 10s
[...]
6.7. Restart Crate
$ service crate restart
7. Falkenberg - Import certificates
7.1. Move certificates to correct directory and set correct permissions
$ mv /home/ivar/*.crt . && chown crate:crate * && chmod 400 *
7.2. Check files
$ ls -l
total 16
-r-------- 1 crate crate 1761 Jun 2 08:50 crate-falk-01.crt
-r-------- 1 crate crate 1147 Jun 2 08:27 crate-falk-01.csr
-r-------- 1 crate crate 2834 Jun 2 08:24 keystore
-r-------- 1 crate crate 1371 Jun 2 08:51 rootCA.crt
7.3. Import root CA certificate
$ keytool -import -keystore keystore -file rootCA.crt -alias root_ca
Enter keystore password:
Owner: EMAILADDRESS=info@my.domain, CN=*.my.domain, OU=Headquarters, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE
Issuer: EMAILADDRESS=info@my.domain, CN=*.my.domain, OU=Headquarters, O="My Company, Ltd.", L=Stockholm, ST=Stockholm, C=SE
Serial number: 808d1c8e2da5a10f
Valid from: Thu Jun 02 08:37:54 UTC 2022 until: Sat May 09 08:37:54 UTC 2122
Certificate fingerprints:
SHA1: A0:6B:FC:21:9A:30:05:38:61:C3:B1:57:70:5A:30:49:1E:D7:6C:4C
SHA256: 55:87:C7:29:AE:34:E2:7E:5C:13:6A:23:A4:66:86:B2:78:A6:FF:8B:0B:2B:6D:DC:49:32:15:FF:64:AD:95:C8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
7.4. Import signed certificate
$ keytool -import -keystore keystore -file crate-falk-01.crt -alias cert
Enter keystore password:
Certificate was added to keystore
7.5. Check keystore content
$ keytool -keystore keystore -list
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 3 entries
cert, Jun 2, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 3A:C0:98:41:B7:9A:52:7F:CF:5C:DB:44:3E:ED:91:1B:8C:1B:2B:B2:3C:65:BE:80:A6:7D:25:6D:7E:F5:80:52
private_key, Jun 2, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): E7:7E:9C:A7:0D:09:6A:95:4E:F3:9A:84:D3:60:9F:6A:0D:65:FC:45:D5:62:4A:95:48:21:35:AD:2F:DC:96:67
root_ca, Jun 2, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 55:87:C7:29:AE:34:E2:7E:5C:13:6A:23:A4:66:86:B2:78:A6:FF:8B:0B:2B:6D:DC:49:32:15:FF:64:AD:95:C8
7.6. Check SSL config
$ cat /etc/crate/crate.yml
[...]
# Enable encrypted communication for the HTTP endpoints:
ssl.http.enabled: true
# Enable encrypted communication for the PostgreSQL wire protocol:
#ssl.psql.enabled: true
ssl.transport.mode: on
# The full path to the node keystore file
ssl.keystore_filepath: /home/crate/keystore
# The password used to decrypt the keystore_file.jks
ssl.keystore_password: my_password
# The password entered at the end of the keytool -genkey command if different
# than the keystore_password.
ssl.keystore_key_password: my_password
# Optional configuration for truststore
# The full path to the node truststore file
#ssl.truststore_filepath:
# The password used to decrypt the truststore_file.jks
#ssl.truststore_password:
# The frequency at which SSL files are monitored for changes
ssl.resource_poll_interval: 10s
[...]
7.7. Restart Crate
$ service crate restart
8. Result
Same as before.