Generating Keystores and Truststores: Unique Admin Key

This example demonstrates the generating of a truststore consisting of a CA certificate for the Unique Admin Key model. The corresponding CA key is then used to generate a signed certificate for each NuoDB Admin Process (AP). All NuoDB APs will have identical truststores, but each will have a unique keystore consisting of its own CA-signed key pair certificate.

The following commands must be run as a user who has write access to /etc/nuodb/keys.

1. Generate a CA key pair used to sign each admin certificate.

nuocmd create keypair --keystore ca.p12 --store-password "$PASSWD" --ca --dname "CN=ca"

2. Import the CA certificate generated in step 1 into a truststore.

nuocmd import certificate --keystore ca.p12 --store-password "$PASSWD" \
   --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

3. Generate a key pair certificate to be used by nuocmd.

nuocmd create keypair --keystore nuocmd.p12 --store-password "$PASSWD" --dname "CN=nuocmd"

4. Import the client certificate generated (step 3) into the truststore created (step 2).

nuocmd import certificate --keystore nuocmd.p12 --store-password "$PASSWD" \
   --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

5. Convert the client key and certificate to PEM format so that it can be used by nuocmd.

nuocmd show certificate --keystore nuocmd.p12 --store-password "$PASSWD" > nuocmd.pem

6. Convert the CA certificate to PEM format so that it can be used by nuocmd.

nuocmd show certificate --keystore ca.p12 --store-password "$PASSWD" --cert-only > ca.cert

7. For every host running APs, copy the truststore to the NuoDB config directory, and also make PEM files available on any host that will run nuocmd.

cp nuoadmin-truststore.p12 nuocmd.pem ca.cert /etc/nuodb/keys
chown -R nuodb:nuodb /etc/nuodb/keys

8. For every host running APs, generate a CA-signed key pair certificate.

Generate the key pair certificate

nuocmd create keypair --keystore nuoadmin.p12 --store-password "$PASSWD" --ca

Sign the certificate with CA key

nuocmd sign certificate --keystore nuoadmin.p12 --store-password "$PASSWD" --update --ca \
   --ca-keystore ca.p12 --ca-store-password "$PASSWD"

Copy the keystore to the config directory

cp nuoadmin.p12 /etc/nuodb/keys
chown nuodb:nuodb /etc/nuodb/keys/nuoadmin.p12

9. For every host running APs, update nuoadmin.conf so that the TLS is enabled and the generated certificates files are specified.

...
"ssl": "true",
"keystore": "/etc/nuodb/keys/nuoadmin.p12",
"keystore-type": "PKCS12",
"keystore-password": "<PASSWD value>",
"truststore": "/etc/nuodb/keys/nuoadmin-truststore.p12",
"truststore-type": "PKCS12",
"truststore-password": "<PASSWD value>",
...

10. For every host running APs, shut down and restart the AP so that the configuration changes take effect.

systemctl restart nuoadmin

11. Set the NUOCMD_CLIENT_KEY and NUOCMD_VERIFY_SERVER environment variables to allow nuocmd to authenticate itself and verify NuoDB APs using HTTPS.

Set the variables

export NUOCMD_CLIENT_KEY=/etc/nuodb/keys/nuocmd.pem
export NUOCMD_VERIFY_SERVER=/etc/nuodb/keys/ca.cert

Verify that client can communicate with admin

nuocmd show domain

Get the certificate data to verify that TLS is enabled

nuocmd --show-json get certificate-info