Authentication Using Client Certificates, Part 2
Setup client certificates to enable client certificate handling using a CLI or REST API, configure the client certificate, and add authorization using root certificates.
Join the DZone community and get the full member experience.
Join For FreeEnable Client Certificates With the CLI or REST API
Shell
x
1
./couchbase-cli ssl-manage -c <IP-node1> -u username -p password --set-client-auth settings.json
Use the above code where settings.json contains a JSON object with the state set to either enabled or mandatory and has a triple prefix as described in the previous article. The prefix is an array of these fields. Using the examples in Part 1 of this article, the following is how settings.json might look:
JSON
xxxxxxxxxx
1
15
1
{
2
"state": "enable",
3
"prefixes": [
4
{
5
"path": "subject.cni",
6
"prefix": "www.",
7
"delimiter": "."
8
},
9
{
10
"path": "san.dnsnamel",
11
"prefix": "node1.",
12
"delimiter": "."
13
}
14
]
15
}
We can also use the REST API to do the same.
Shell
xxxxxxxxxx
1
1
curl -XPOST <IP-node1>:8091/settings/clientCertAuth --data-binary @client-auth-settings.json -u username:password
Configuring the Client Certificates Using Root Authorization
These steps are pretty similar to how we setup the certificates in another DZone article: https://dzone.com/articles/authentication-using-server-side-x509-certificates
We first need to create a private key using OpenSSL:
openssl genrsa -out client.key 2048 2>/dev/null
Next, we need to create a certificate signing request (CSR). A CSR is a request sent from an applicant to a CA to apply for a certificate. You can customize it by adding to or limiting the capabilities of the X.509 certificate using an extension file:
Shell
xxxxxxxxxx
1
1
openssl req -new -key client.key -out client.csr -subj '/C=US/O=Couchbase/CN=Clientauthuser' 2>/dev/null
Shell
xxxxxxxxxx
1
1
cat > v3.ext <<EOF
2
basicConstraints = CA:FALSE
3
subjectKeyIdentifier = hash
4
authorityKeyIdentifier = keyid,issuer:always
5
EOF
For an extensive list of all the standard extensions, see section 4.2 of RFC 5280 on the X509 PKI and CRL profile - https://tools.ietf.org/html/rfc5280.
Now we need to generate the client certificate:
Shell
xxxxxxxxxx
1
1
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile v3.ext -out client.pem -days 365 2>/dev/null
Here ca.pem and ca.key represent the root certificate's private and public keys as generated here (while setting up the X509 server certificates).
Use the certificate to authenticate client requests.
For more information or details on configuring client certificates for multiple clients and using the intermediate certificate to configure your client certificate visit Couchbase's docs - Managing Certificates.
Topics:
client and server,
access control,
database,
authentication
Opinions expressed by DZone contributors are their own.
Comments