Possible to configure root CN as another value

For a secure cluster, is it possible to configure what the root client certificate CN should be?

If we plan to use our own CA certificates for instance (vs using cockroach certs to generate them), and we’re unable to get a certificate issued with the CN=root by the CA, would it be possible to configure the root CN to be something other than root?

Or is the work around to create a non-secure cluster first, create the users, schema and associated grants and then finally secure the cluster?

Hey @chriswhite199

It sounds like the best course of action may be a split node configuration for your certificates, described in the documentation here. Have a look at the docs, and let me know if there is any other questions you have.

Cheers,
Ricardo

Ricardo,

Thanks, so in that instance I just need to create my own CA to issue the client certs (one for node to be used by all the nodes, one for root and 1+ for the additional clients), and can use an upstream CA issued certs for the node server certs?

Hey @chriswhite199

So the client node certs need to ensure that in the cert, CN=node, and in the server node cert, the Subject Alternate Name field needs to contain the IPs and host names associated for that node.

If you have a scenario where multiple CAs need to sign these certs, then you may be better off utilizing a mixture of the split node configuration I linked in the previous post, and the split CA configuration here.

Let me know if there’s any other questions.

Cheers,
Ricardo