Custom certificates and keys

Following are the requirements for custom certificates for individual nodes.

  • Certificate and key must be in PEM format.
  • All certificates must be signed by the same Certificate Authority.
  • All the domain names and entries that are specified in Subject Alternative Name field (SAN) must be correct.
  • Certificate must have 127.0.0.1 and localhost in the SAN.
  • There must be a password and it should not have any trailing or leading white space.
Note: You can provide an encrypted key if the password is the same as the expected pkcs8 password. The script decrypts the key for usage with NRS. The password for the pkcs8 key is to satisfy a hard requirement from Kafka. The script takes the unencrypted key to generate an encrypted pkcs8 key with the supplied password for Kafka and for other setup. The unencrypted key is for use with replmgmt and nzdr.

Guidance on SAN

Use a domain.ext file to specify the SAN when creating node certificates.

For example:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = your.fqdn.here.com
DNS.2 = alternate.short.name
DNS.3 = localhost
IP.1 = 127.0.0.1authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = your.fqdn.here.com
DNS.2 = alternate.short.name
DNS.3 = localhost
IP.1 = 127.0.0.1

Managing definitions of certificates, keys, and passwords

To manage certificates, keys, and passwords, use a single configuration file for all of the replication node system. You can list all the certificates, keys, and password file locations for each of your replication nodes in a YAML format in this file.

Once the certificates, keys and password are generated and its copied to all the replication nodes, use this YAML file to deploy them using the nrscertmgr tool postinstallation or during initial deployment by using cpds_deploynrs tool.

The file structure in YAML format is shown in the following example.

certs:
  cacert: 
    cert: /path/to/cacert.pem # CA Certificate that signed the below certificate. 
  nodes:
    nodeA:
      cert: /path/to/nodeA_certificate.pem # Certificate for nodeA
      key: /path/to/nodeA_certificate_key.pem # Key for above
      password: /root/certs/nodeA_certificate_key_passfile # Password for above
    nodeB:
      cert: /path/to/nodeB_certificate.pem # Certificate for nodeB
      key: /path/to/nodeB_certificate_key.pem # Key for above
      password: /root/certs/nodeB_certificate_key_passfile # Password for above
Each node is concerned with only its own certificates and the CA certificate. For example: 
certs:
  cacert: 
    cert: /root/certs/cacert.pem
  nodes:
    e1-nrs:
      cert: /root/certs/e1-nrs.pem
      key: /root/certs/e1-nrs_key.pem
      password: /root/certs/e1-nrs_pass
    e2-nrs:
      cert: /root/certs/e2-nrs.pem
      key: /root/certs/e2-nrs_key.pem
      password: /root/certs/e2-nrs_pass