Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: allow separate CA to verify client certificates. #27636

Merged
merged 1 commit into from
Jul 23, 2018
Merged

security: allow separate CA to verify client certificates. #27636

merged 1 commit into from
Jul 23, 2018

Commits on Jul 20, 2018

  1. security: allow separate CA to verify client certificates. 

    Part of cockroachdb#26630.

This PR adds the following optional files in the certs directory:
- `client.node.crt` (and associated `.key`): client certificate for the
  node user
- `ca-client.crt`: certificate to verify client certificates

This allows for split server/client certificates signed by different
CAs.

If `ca-client.crt` exists, it is used in the node's server-side TLS.Config
CertPool for client certificate verification. Otherwise, we fall back on
`ca.crt`.

If `client.node.crt` exists, it is used in the node's client-side
TLS.Config as the client certificate. Otherwise, we call back on
`node.crt`. At load-time, we verify that the certificate to use contains
`CN=node` and `ExtendedKeyUsage=ClientAuth`.

Other bits in this PR:
- add `cockroach cert create-client-ca` command
- use client CA to sign client certs if present
- show client CA on `cockroach cert list`
- show all certs in debug page
- metric for client CA and node client expiration times

Release note (general change): allow separate CA for client certificates
    marc committed Jul 20, 2018
    Configuration menu
    Copy the full SHA
    ff877b1 View commit details
    Browse the repository at this point in the history