1. Transaction Manager for Microservices Developer Guide
  2. Prepare
  3. Set Up etcd as Data Store
  4. Generate RSA Certificates for etcd

3.6.1 Generate RSA Certificates for etcd

You must provide etcd credentials and etcd endpoints in the YAML file for the transaction coordinator. MicroTx uses this information to establish a connection to the database after the service is installed.

Skip this step if you are not using etcd as the transaction store.

Before you begin, complete the following tasks:

  • Install CFSSL tool. See https://github.com/cloudflare/cfssl. This topic provides sample commands to create certificates using the CFSSL tool. You can use this tool or any other tool of your choice to generate certificates.
  • Install and configure the etcd database. For information to create an etcd data store, see https://etcd.io/docs/.
  • Enable TLS on etcd for additional security and provide the certificate details in the YAML file for the transaction coordinator.
To create certificates and identify the etcd endpoints:
  1. Create a directory.

    The following sample code creates a directory named, cfssl. 

    mkdir cfssl
cd cfssl

    Note the path of this directory as you will create all the certificates inside it.

  2. Run the following command to identify the external IP address of the etcd database server.

    Run the following command only if you want to install MicroTx in a Kubernetes cluster. 

    kubectl get svc

    Sample output

    NAME          TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)             AGE

etcd          ClusterIP      None           <none>           4002/TCP,4003/TCP   5h8m

etcd-client   LoadBalancer   192.0.2.83    198.51.100.1    4002:32135/TCP      5h8m
  3. Note down the external IP address.
    You will provide this value to generate the server certificate and as the etcd endpoints in the YAML file for the transaction coordinator.
  4. Run the following command to initialize certificate authority.
    echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca -
    This command creates three files in the current working directory: ca-key.pem, ca.csr, and ca.pem files.
  5. Run the following command to configure the certificate authority options.

    Sample command

    echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json

    Where, the output is written to the ca-config.json file.

    You can modify values for expiry and usages. For more information about these attributes, refer to the CFSSL documentation.

  6. Generate the server certificate.
    1. Run the following command to assign the IP address of the etcd database server to the variable ADDRESS. When you run this command in your environment, replace the sample value with a value specific to your environment.
      export ADDRESS=192.0.2.82
    2. Run the following command to assign the name of the etcd database server to the variable NAME. This is the server Common Name (CN) that is required to generate the server certificate. When you run this command in your environment, replace the sample value with a value specific to your environment.
      export NAME=server
    3. Run the following command to generate the server certificate.
      echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
    This command creates three files in the current working directory: server-key.pem, server.csr, and server.pem files.
  7. Add permissions to the server certificate. Perform this step only if you want to install MicroTx in Docker Swarm. Skip this step if you want to install MicroTx in a Kubernetes cluster.
    sudo chmod 644 server-key.pem
sudo chmod 644 server.pem
  8. Generate the client certificate. While generating the client certificate, you don't need to specify an IP address for the client certificate host.
    1. Run the following command to assign a name to the variable NAME. This is the server Common Name (CN) that is required to generate the client certificate. You can provide any value to identify the client certificate.
      export NAME=client
    2. Run the following command to generate the client certificate.
      echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
    This command creates three files in the current working directory: client-key.pem, client.csr, and client.pem files.
  9. Run the following command to protect the client certificate with a password.
    openssl rsa -passout pass:<your_password> -aes256 -in client-key.pem -out client-ekey.pem

    Replace, <your_password> with a password for your client private key file. Remember the password that you provide as you'll have to provide it in the next step.

    The client-ekey.pem file is created in the current working directory. You will need to provide the contents of the client-ekey.pem file and password in the next step.

  10. In any text editor, create a JSON file which contains the contents of the client-ekey.pem, client.pem, and the password that you have used to protect the client certificate.

    The client.pem file contains the client certificate and the client-ekey.pem file contains the key.

    1. Copy the contents of the client.pem, the client public key file, as the value of the cert field.
    2. Copy the contents of the client-ekey.pem, the client private key file, as the value of the key field.
    3. Enter the password for the client private key file that you have provided in the previous step as the value of the keyPassword field.
    4. Replace all the new lines with the newline character \n.
    5. Create a JSON file with the edited values. The following code shows a sample JSON file. The sample values have been truncated with ellipses (...) for readability.
    {
"cert":"-----BEGIN CERTIFICATE-----\nMIIDOjCC...\nBQAwD..jHPs=\n-----END CERTIFICATE-----",
"key":"-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,1870...\n\nNb...\n-----END RSA PRIVATE KEY-----",
"keyPassword":"<your_password>"
}
  11. Validate and then save the JSON file. Remember the name of the JSON file as you have to provide the name of the file and its location. Let's consider that you save the JSON file as etcdecred.json.

Parent topic: Set Up etcd as Data Store