Question about Mutual Mode SSL Server Authentication with Vertica for multiple vertica users
Hi,
1. We are generating the server.key using following command:
openssl req -new -newkey rsa:2048 -nodes -out //server.csr -keyout //server.key -subj '/C=CA/ST=Alberta/L=Calgary/O=Company name/OU=Information Technology/CN=verticaDB.internal.com'
2. We are using server.crt generated by a signing authority. Where server.csr is used.
3. We are generating the client certificates using following command.
openssl req -new -x509 -newkey rsa:2048 -nodes -out //client.crt -keyout //client.key -subj '/C=CA/ST=Alberta/L=Calgary/O=Company name/OU=Information Technology/CN=User1'
as can be noted that we are using CN=User1 argument.
4. Now at the vertica side we are doing following steps:
Copy server.key and server.crt files into /data/DB1/v_DB1_node0001_catalog
Copy client.crt to /data/DB1/v_DB1_node0001_catalog and rename it to root.crt
As you can note that we are using the client.crt generated at step 3 as root.crt
5. Manually loading the certificates and keys
ALTER DATABASE SET SSLPrivateKey = 'cat server.key';
ALTER DATABASE set SSLCertificate = ‘cat server.crt'
ALTER DATABASE SET SSLCA = 'cat root.crt’;
Question:
Now the question is if we have another user we will be generating another client certificate with that user. Say User2 as below
openssl req -new -x509 -newkey rsa:2048 -nodes -out //client1.crt -keyout //client1.key -subj '/C=CA/ST=Alberta/L=Calgary/O=Company name/OU=Information Technology/CN=User2'
So how we manage the root.crt can we just append the original root.crt file like below:
cat client.crt >> root0.crt
cat client1.crt >> root0.crt
cp root0.crt root.crt
and then load the combined root.crt file to vertica using below SQL
ALTER DATABASE SET SSLCA = 'cat root.crt’;
Will that work?
Best Answers
-
This issue has been answered by Vertica Support.
The idea is to use the server root.crt certificate to sign the client certificates and use the server root.crt certificate as SSLCA. With that multiple client certificates can be used at client applications.1