Skip to main content
Version: 3.8

How to Create Private Key and Certificate Files for TLS Connections in Scalar Products

This guide explains how to create private key and certificate files for TLS connections in ScalarDB Cluster and ScalarDL. When you enable the TLS feature, you must prepare private key and certificate files.

Certificate requirements

  • You can use only RSA or ECDSA as an algorithm for private key and certificate files.

Example steps to create sample private key and certificate files

In this example, you'll create sample private key and certificate files by using cfssl and cfssljson. If you don't have those tools installed, please install cfssl and cfssljson to run this example.

note
  • You can use other tools, like openssl, to create the private key and certificate files. Alternatively, you can ask a third-party CA or the administrator of your private CA to create the private key and certificate for your production environment.
  • This example creates a self-signed certificate. However, it is strongly recommended that these certificates not be used in production. Please ask trusted issuers (a public CA or your private CA) to create certificate files for your production environment based on your security requirements.

  1. Create a working directory.

    mkdir -p ${HOME}/scalar/example/certs/

  2. Change the working directory to ${HOME}/scalar/example/certs/.

    cd ${HOME}/scalar/example/certs/

  3. Create a JSON file that includes CA information.

    cat << 'EOF' > ${HOME}/scalar/example/certs/ca.json
    {
        "CN": "scalar-example-ca",
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "JP",
                "ST": "Tokyo",
                "L": "Shinjuku",
                "O": "Scalar Example CA"
            }
        ]
    }
    EOF

  4. Create the CA private key and certificate files.

    cfssl gencert -initca ca.json | cfssljson -bare ca

  5. Create a JSON file that includes CA configurations.

    cat << 'EOF' > ${HOME}/scalar/example/certs/ca-config.json
    {
        "signing": {
            "default": {
                "expiry": "87600h"
            },
            "profiles": {
                "scalar-example-ca": {
                    "expiry": "87600h",
                    "usages": [
                        "signing",
                        "key encipherment",
                        "server auth"
                    ]
                }
            }
        }
    }
    EOF

  6. Create a JSON file that includes server information.

    cat << 'EOF' > ${HOME}/scalar/example/certs/server.json
    {
        "CN": "scalar-example-server",
        "hosts": [
            "server.scalar.example.com",
            "localhost"
        ],
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "JP",
                "ST": "Tokyo",
                "L": "Shinjuku",
                "O": "Scalar Example Server"
            }
        ]
    }
    EOF

  7. Create the private key and certificate files for the server.

    cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalar-example-ca server.json | cfssljson -bare server

  8. Confirm that the private key and certificate files were created.

    ls -1

    [Command execution result]

    ca-config.json
    ca-key.pem
    ca.csr
    ca.json
    ca.pem
    server-key.pem
    server.csr
    server.json
    server.pem

    In this case:

    • server-key.pem is the private key file.
    • server.pem is the certificate file.
    • ca.pem is the root CA certificate file.