Generating a private-public key pair by using OpenSSL

Know how to generate a private-public key pair by using OpenSSL.

About this task

Key-based authentication involves generating a pair of cryptographic key files. These files consist of a private key and a public key, which uniquely identifies the user. Key pair authentication provides an enhanced level of security for authentication when compared to basic methods such as using a username and password. This authentication method requires a 2048-bit RSA key pair.

Generate a private-public key pair for Privacy Enhanced Mail (PEM) by using OpenSSL.
Note: Key pair authentication is supported only for the Snowflake database in the Database connector.

Procedure

  1. Install OpenSSL on your system.
  2. Open a command prompt to use OpenSSL commands to generate the key pair.
  3. Generate a private key and certificate by using the following command:

    openssl req -x509 -newkey rsa:2048 -keyout -out -sha256 -days 730 -nodes -subj “/C={country}/ST={state}/L={city}/O={organization}/OU={organization unit}/CN={common_name}

    Example - openssl req -x509 -newkey rsa:2048 -keyout privatekey.pem -out my_cert.pem -sha256 -days 730 -nodes -subj "/C=US/ST=Ohio/L=Columbus/O=Software Co/OU=Adapters/CN=soco"

    This command generates a 2048-bit RSA private key in PEM format, for example: -----BEGIN PRIVATE KEY----- MIIE6T... -----END PRIVATE KEY-----

  4. After you have the private key, generate the corresponding public key by using the following command - openssl rsa -in {privatekey.pem} -pubout -out {publickey.pub}

    Example - openssl rsa -in privatekey.pem -pubout -out pubkey.pub

    This command extracts the public key from the private key in PEM format, for example: -----BEGIN PUBLIC KEY----- MIIBIj... -----END PUBLIC KEY-----

    Securely store both the private and public keys in a local directory and record the path to the files. The private key is saved in the PKCS#12 format and encrypted using the passphrase.

  5. Generate a keystore file in either pkc12 or jks format by using the following command: openssl pkcs12 -export -name {alias} -in {cert.pem} -inkey {privatekey.pem} -out {key.p12}

    Example - openssl pkcs12 -export -name privatekey -in my_cert.pem -inkey privatekey.pem -out mykeystore.p12

  6. Next, configure Snowflake database for key pair authentication.
    • Create a username and password in Snowflake.
    • Set your public key to your Snowflake user to use key-pair authentication. You must have the ACCOUNTADMIN role to make edits to a user.
    • Alter the user to use key pair authentication by using the following command in Snowflake and replace rsa_public_key with the content from your public key file:

      alter user <your_username> set rsa_public_key='<your_public_key>'

      Example. ALTER USER JOHN SET RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtD7m97G2h

      9sNdkWeDBeyFhgUPLu2wbccYXT3vXwDudL2qFm7W6PxVaEj/k1bFeKcOHDI2jVVeHz

      U1awg1wxBJ3Jd2GJ9dYNmjGhovLSrthbKbGMavlwU +QIDAQAB

  7. Add the keystore file that is generated earlier by clicking Projects > Select a Project > Configurations > General > Certificates > New Certificate > Keystore.
  8. Go to the Connectors tab and select the Database connector.
  9. Add the details in the Basic configuration section.
  10. In the Advanced configuration section, select the Keystore alias. Also set the Other properties as required.
  11. Test the connection to verify the database connection. If the connectivity is successful, a successful message appears.
  12. Test the key pair authentication by connecting to Snowflake by using the Snowflake client. You are able to log in without entering a password.