Custom CAs for secure servers

Is it possible to use a custom CA for secure servers or do you absolutely need to use the create-* commands to create a CA and server certificates?

You should be able to use your own CA certificate and key.

However the node and client certificates need a few things. Specifically:
Common Name: node for the node certificates, <username> for the client certificates.
Node certificates should allow for both client and server auth. Client certificates only need client auth.

I’ve been meaning to add the openssl equivalents to the docs (see https://github.com/cockroachdb/docs/issues/119), just haven’t gotten around to it yet.

Hi marc, when you say that the Common Name should be node do you mean it should be t he hostname? If not, what is node in this context? Same for <username>.

By node, I mean literally the string node. For client certificates, <username> means whatever the username of the client is, so if I want to be allowed to talk to cockroach as user marc, I need the CommonName to be marc.
For the node certs, this is because they are dual-purpose server and client certs, so node is technically the username for internal communications.
The ip addresses and dns names of the server itself should be stored in subject alternative name checked by SSL libraries against the hostname used to connect.

Here’s the relevant portion from some certs I generated through cockroach create-(node|client). The ... are where I left out some boring stuff.

$ openssl x509 -text -in ~/.cockroach-certs/node.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            42:ca:a2:f8:81:bc:cc:e4:3f:fd:8b:83:4f:41:d8:f8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Cockroach, CN=Cockroach CA
        Validity
            Not Before: May 22 20:43:31 2017 GMT
            Not After : May 30 20:43:31 2027 GMT
        Subject: O=Cockroach, CN=node
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:fishmonger, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The important bits above are:

        Subject: ... CN=node
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:127.0.0.1

And here’s a sample client certificate for a user called foo:

$ openssl x509 -text -in ~/.cockroach-certs/client.foo.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:01:ce:2a:48:fe:6e:ce:e4:7e:39:32:e6:11:14:11
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Cockroach, CN=Cockroach CA
        Validity
            Not Before: May 21 20:22:58 2017 GMT
            Not After : May 30 20:22:58 2027 GMT
        Subject: O=Cockroach, CN=foo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The important fields here are:

        Subject: ..., CN=foo
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication