Created
October 22, 2021 12:00
-
-
Save petrosagg/df365cd2ac0ed349246bfe5f2f1c2376 to your computer and use it in GitHub Desktop.
Materialized verify-full certificate setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export SSL_SECRET=mzmzmz | |
mkdir secrets tmp | |
# Create CA | |
openssl req \ | |
-x509 \ | |
-days 36500 \ | |
-newkey rsa:4096 \ | |
-keyout secrets/ca.key \ | |
-out secrets/ca.crt \ | |
-sha256 \ | |
-batch \ | |
-subj "/CN=MZ RSA CA" \ | |
-passin pass:$SSL_SECRET \ | |
-passout pass:$SSL_SECRET | |
# Generate two certificates, one for the server and one for the client | |
for i in server.example.com materialize | |
do | |
# Create key & csr | |
openssl req -nodes \ | |
-newkey rsa:2048 \ | |
-keyout secrets/$i.key \ | |
-out tmp/$i.csr \ | |
-sha256 \ | |
-batch \ | |
-subj "/CN=$i" \ | |
-passin pass:$SSL_SECRET \ | |
-passout pass:$SSL_SECRET \ | |
# Sign the CSR. | |
openssl x509 -req \ | |
-CA secrets/ca.crt \ | |
-CAkey secrets/ca.key \ | |
-in tmp/$i.csr \ | |
-out secrets/$i.crt \ | |
-sha256 \ | |
-days 36500 \ | |
-CAcreateserial \ | |
-passin pass:$SSL_SECRET | |
done | |
rm -rf tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# You can use sslmode=verifyfull here if the server certificate's CN matches its hostname | |
# In this example localhost != server.example.com so verify-ca is the best we can have | |
psql "port=6875 host=localhost user=materialize sslcert=secrets/materialize.crt sslkey=secrets/materialize.key sslrootcert=secrets/ca.crt sslmode=verify-ca" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
materialized \ | |
--tls-mode verify-full \ | |
--tls-ca secrets/ca.crt \ | |
--tls-cert secrets/server.example.com.crt \ | |
--tls-key secrets/server.example.com.key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment