Generating Keystores and Truststores: Unique Admin Key

This example demonstrates the generating of a truststore consisting of a CA certificate for the Unique Admin Key model. The corresponding CA key is then used to generate a signed certificate for each NuoDB Admin Process (AP). All NuoDB APs will have identical truststores, but each will have a unique keystore consisting of its own CA-signed key pair certificate.

The following commands must be run as a user who has write access to /etc/nuodb/keys.

1. Generate a CA key pair used to sign each admin certificate.

nuocmd create keypair --keystore ca.p12 --store-password "$PASSWD" --ca --dname "CN=ca"

2. Import the CA certificate generated in step 1 into a truststore.

nuocmd import certificate --keystore ca.p12 --store-password "$PASSWD" \
   --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

3. Generate a key pair certificate to be used by NuoDB Command clients.

nuocmd create keypair --keystore nuocmd.p12 --store-password "$PASSWD" --dname "CN=nuocmd"

4. Import the client certificate generated (step 3) into the truststore created (step 2).

nuocmd import certificate --keystore nuocmd.p12 --store-password "$PASSWD" \
   --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

5. Convert the client key and certificate to PEM format so that it can be used by NuoDB Command.

nuocmd show certificate --keystore nuocmd.p12 --store-password "$PASSWD" > nuocmd.pem

6. Convert the CA certificate to PEM format so that it can be used by NuoDB Command.

nuocmd show certificate --keystore ca.p12 --store-password "$PASSWD" --cert-only > ca.cert

7. For every host running APs, copy the truststore to the NuoDB config directory, and also make PEM files available on any host that will run NuoDB Command.

cp nuoadmin-truststore.p12 nuocmd.pem ca.cert /etc/nuodb/keys
chown -R nuodb:nuodb /etc/nuodb/keys

8. For every host running APs, generate a CA-signed key pair certificate.

Generate the key pair certificate

nuocmd create keypair --keystore nuoadmin.p12 --store-password "$PASSWD" --ca

Sign the certificate with CA key

nuocmd sign certificate --keystore nuoadmin.p12 --store-password "$PASSWD" --update --ca \
   --ca-keystore ca.p12 --ca-store-password "$PASSWD"

Copy the keystore to the config directory

cp nuoadmin.p12 /etc/nuodb/keys
chown nuodb:nuodb /etc/nuodb/keys/nuoadmin.p12

9. For every host running APs, update nuoadmin.conf so that the TLS is enabled and the generated certificates files are specified.

...
"ssl": "true",
"keystore": "/etc/nuodb/keys/nuoadmin.p12",
"keystore-type": "PKCS12",
"keystore-password": "<PASSWD value>",
"truststore": "/etc/nuodb/keys/nuoadmin-truststore.p12",
"truststore-type": "PKCS12",
"truststore-password": "<PASSWD value>",
...

10. For every host running APs, shut down and restart the AP so that the configuration changes take effect.

systemctl restart nuoadmin

11. Set the NUOCMD_CLIENT_KEY and NUOCMD_VERIFY_SERVER environment variables to allow NuoDB Command to authenticate itself and verify NuoDB APs using HTTPS.

Set the variables

export NUOCMD_CLIENT_KEY=/etc/nuodb/keys/nuocmd.pem
export NUOCMD_VERIFY_SERVER=/etc/nuodb/keys/ca.cert

Verify that client can communicate with admin

nuocmd show domain

Get the certificate data to verify that TLS is enabled

nuocmd --show-json get certificate-info