PSA: `--insecure` is now false by default, `--certs-dir` replaces old certificate flags

PR 14703 reworking the security settings had been merged.

The notable changes are:

  • --insecure is now always false by default and is not longer co-dependent on the value of --host
  • --host is now “all interfaces” by default and is no longer co-dependent on the value of --insecure
  • --ca-cert, --cert, and --key are gone from most commands, replaced with --certs-dir. They are still allowed on cockroach start but will be removed soon
  • the cockroach cert commands have changed to use the new flags. Please see help message for details
  • default CA certificate lifetime if now 5 years, server/client certificate lifetime remains 1 year

The --certs-dir flag defaults to ${HOME}/.cockroach-certs. It is searched for certificates and keys using the following naming scheme:

  • CA certificate and key: ca.crt, ca.key
  • Server certificate and key: node.crt, node.key
  • Client certificate and key: client.<user>.crt, client.<user>.key

When running client commands, the user can be specified with the --user flag.

Keys have a minimum permission requirement of 0700 (rwx------). This restriction can be
disabled by setting the environment variable COCKROACH_SKIP_KEY_PERMISSION_CHECK to true.