Doc Menu

Generate Self-signed Certificates

This document provides an example of using openssl to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands.

Assume that the topology of the instance cluster is as follows:

NameHost IPServices
node1172.16.10.11DM-master1
node2172.16.10.12DM-master2
node3172.16.10.13DM-master3
node4172.16.10.14DM-worker1
node5172.16.10.15DM-worker2
node6172.16.10.16DM-worker3

Install OpenSSL

  • For Debian or Ubuntu OS:

    apt install openssl
  • For RedHat or CentOS OS:

    yum install openssl

You can also refer to OpenSSL's official download document for installation.

Generate the CA certificate

A certificate authority (CA) is a trusted entity that issues digital certificates. In practice, contact your administrator to issue the certificate or use a trusted CA. CA manages multiple certificate pairs. Here you only need to generate an original pair of certificates as follows.

  1. Generate the root key:

    openssl genrsa -out root.key 4096
  2. Generate the root certificates:

    openssl req -new -x509 -days 1000 -key root.key -out root.crt
  3. Validate the root certificates:

    openssl x509 -text -in root.crt -noout

Issue certificates for individual components

Certificates that might be used in the cluster

  • The master certificate used by DM-master to authenticate DM-master for other components.
  • The worker certificate used by DM-worker to authenticate DM-worker for other components.
  • The client certificate used by dmctl to authenticate clients for DM-master and DM-worker.

Issue certificates for DM-master

To issue a certificate to a DM-master instance, perform the following steps:

  1. Generate the private key corresponding to the certificate:

    openssl genrsa -out master.key 2048
  2. Make a copy of the OpenSSL configuration template file (Refer to the actual location of your template file because it might have more than one location):

    cp /usr/lib/ssl/openssl.cnf .

    If you do not know the actual location, look for it in the root directory:

    find / -name openssl.cnf
  3. Edit openssl.cnf, add req_extensions = v3_req under the [ req ] field, and add subjectAltName = @alt_names under the [ v3_req ] field. Finally, create a new field and edit the information of SAN.

    [ alt_names ]
    IP.1 = 127.0.0.1
    IP.2 = 172.16.10.11
    IP.3 = 172.16.10.12
    IP.4 = 172.16.10.13
  4. Save the openssl.cnf file, and generate the certificate request file (in this step, you can also assign a Common Name to the certificate, which is used to allow the server to validate the identity of the client. Each component does not enable the validation by default, and you can enable it in the configuration file):

    openssl req -new -key master.key -out master.csr -config openssl.cnf
  5. Issue and generate the certificate:

    openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in master.csr -out master.crt -extensions v3_req -extfile openssl.cnf
  6. Verify that the certificate includes the SAN field (optional):

    openssl x509 -text -in master.crt -noout
  7. Confirm that the following files exist in your current directory:

    root.crt
    master.crt
    master.key

The process of issuing certificates for the DM-worker instance is similar and will not be repeated in this document.

Issue certificates for the client (dmctl)

To issue a certificate to the client (dmctl), perform the following steps:

  1. Generate the private key corresponding to the certificate:

    openssl genrsa -out client.key 2048
  2. Generate the certificate request file (in this step, you can also assign a Common Name to the certificate, which is used to allow the server to validate the identity of the client. Each component does not enable the validation by default, and you can enable it in the configuration file):

    openssl req -new -key client.key -out client.csr
  3. Issue and generate the certificate:

    openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in client.csr -out client.crt