Certificate lifetime

After generating a ca.cert following the instructions in the documentation, I then read the certificate, and found that it expires after one year.

In one year, then, how do I renew the certificate?

Is it even possible? Since elsewhere in the documentation, it states that if you lose your certificate, then it will not be possible to add new nodes to a cluster, doesn’t that imply that if you create a new certificate after an old one expires, the new certificate cannot be used to link to the existing cluster?

You can generate node certs anytime you like. The CA cert is probably the more problematic one.

Unfortunately, we don’t have a good certificate rotation story in place, so you may have to use a big hammer (eg: re-generate everything, and push all certs at approximately the same time). This would cause communication problems between nodes as well as between clients and nodes.

We’ve had this issue opened for ages now with a target milestone of 1.0. It definitely needs to be addressed.

Is there a way, then, of building the ca-cert with a longer expiry time, to allow for the rotation plan to mature?

Unfortunately not through the cockroach command, the duration is hard-coded.

However, you could create a self-signed CA with openssl. It should be easy for the CA, as there is nothing special about it, only the nodes and clients have specific CommonName formats.

To craft a CA certificate with a password-less key, you can use the following:
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -nodes -days 365
And change the -day argument to whatever you like. You’ll have to specify the various fields. You can leave them all blank. We only specify Organization = Cockroach and CommonName = Cockroach CA, though should can use anything you like.

After that, cockroach cert create-(node|client) should work the same way.

We’ve been meaning to document the equivalent openssl commands for all cockroach cert commands. See this issue