RethinkDB – Using a Real Certificate with Cert Chain Bundle

certificatenosqlssl

I know the rethinkdb guide uses a self signed cert as an example. If I wanted to use a real certificate that I purchased, how can I add the bundle to the server conf? I add the certificate I purchased and key to the config:

driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt

Openssl s_client gives me the following

Verify return code: 21 (unable to verify the first certificate)

With this as the certificate chain:

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.s0nr.co
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.s0nr.co
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

How can I use this cert properly?

Best Answer

Silly me. There was --driver-tls-ca option that I was missing. I found it in the rethinkdb manual (man rethinkdb).

TLS options:

  --http-tls-key key_filename                 private key to use for web
                                              administration console TLS
  --http-tls-cert cert_filename               certificate to use for web
                                              administration console TLS
  --driver-tls-key key_filename               private key to use for client driver
                                              connection TLS
  --driver-tls-cert cert_filename             certificate to use for client driver
                                              connection TLS
  --driver-tls-ca ca_filename                 CA certificate bundle used to verify
                                              client certificates; TLS client
                                              authentication disabled if omitted
  --cluster-tls-key key_filename              private key to use for intra-cluster
                                              connection TLS
  --cluster-tls-cert cert_filename            certificate to use for intra-cluster
                                              connection TLS
  --cluster-tls-ca ca_filename                CA certificate bundle used to verify
                                              cluster peer certificates

I set it in my rethinkdb instance conf file:

# TLS stuff
driver-tls-key=/etc/ssl/star.cert.key
driver-tls-cert=/etc/ssl/star.cert.crt
driver-tls-ca=/etc/ssl/star.cert.ca-bundle

And everything works as expected. openssl s_client returns the proper 0 (ok) code.

Edit note: Although with the rethinkdb dump utility it looks like there is no ca option so I can't use a real cert anyway.

Related Solutions

SQL Server SSL – Using a Trusted CA Certificate Offline

A trusted CA does not require online connectivity to validate the certificate. The certificate is signed with a chain of signatures that is rooted in a private key for which the corresponding public key is already present in your system (this is what 'trusted CA' means, after all). You may be thinking at the certificate revocation list, which must be periodically refreshed online, but the system will work with even if the CRL cannot be refreshed.

Within an intranet there are options to use a corporate CA, but it does require a domain and PKI deployed.

Self-signed certificates with SQL Server provide only encryption, no server authentication. See Using Encryption Without Validation. There are no dialogs to popup for the clients, your connection attempt succeed or fails depending on a number of factors (read the article linked).

Sql-server – In SQL Server and using only client side encryption requests, can I use a different certificate for each client

SQL Server SSL encryption that is initiated from the server does not require that the client have a copy of the certificate in advance. The certificate and private key are stored in the certificate store of the service account on the server. If the certificate is selected using SQL Server Configuration Manager and Force Encryption is set to true, then whenever a client requests a session, the server replies with the encryption requirement and sends a copy of the certificate, which contains the public key. To establish an SSL or TLS session, the client randomly selects a symmetric session key and transmits it back to the server encrypted by the public key. This random key is then used as the basis for secure communication. It is recommended to use a domain certificate or CA certificate and not a self signed certificate as a self signed certificate would leave you vulnerable to a man in the middle attack.

There is also a way to request from the SQL Server Management Studio client that a session be encrypted. I don't see any certificate configuration, so it may use a self signed certificate generated at the client to initiate a secure connection. Either way, you can see if any connections are encrypted using the sql statement:

    select encrypt_option, * from sys.dm_exec_connections

Best Answer

Related Solutions

SQL Server SSL – Using a Trusted CA Certificate Offline

Sql-server – In SQL Server and using only client side encryption requests, can I use a different certificate for each client

Related Question