Certificates Overview

Certificates Overview

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate’s contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate’s subject.
In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers to issue certificates for them.

In TLS (an updated replacement for SSL), a server is required to present a certificate as part of the initial connection setup. A client connecting to that server will perform the certification path validation algorithm:

  1. The subject of the certificate matches the hostname (i.e. domain name) to which the client is trying to connect;
  2. The certificate is signed by a trusted certificate authority (CA).

(Taken from Wikipedia)

Cluster certificates setup

The Cloudify Manager cluster uses the TLS protocol (as described above) for:

  1. Communication between the PostgreSQL cluster nodes.
  2. Communication between the RabbitMQ cluster nodes.
  3. Communication between the Management service cluster nodes and the other services.

A few notes:

The following files should exist on each host:

  1. CA certificate - The CA certificate that signed the hosts’ public key certificates.
  2. Public key certificate - A public key certificate signed by the given CA that specifies the host IP and username.
  3. Private key - The private key associated with the host’s public key certificate.

The cfy_manager generate-test-cert command can be used for creating example certificates:

On a host that has the management service installed, generate certificates for all hosts using:

For a nine nodes cluster:

cfy_manager generate-test-cert -s <manager 1 ip>,<manager 1 hostname>
cfy_manager generate-test-cert -s <manager 2 ip>,<manager 2 hostname>
cfy_manager generate-test-cert -s <manager 3 ip>,<manager 3 hostname>
cfy_manager generate-test-cert -s <postgres server 1 ip>,<postgres 1 hostname>
..
..
cfy_manager generate-test-cert -s <rabbitmq server 3 ip>,<rabbitmq server 3 hostname>

For a three nodes cluster:

cfy_manager generate-test-cert -s <node 1 ip>,<node 1 hostname>
cfy_manager generate-test-cert -s <node 2 ip>,<node 2 hostname>
cfy_manager generate-test-cert -s <node 3 ip>,<node 3 hostname>

All-in-one Certificates Setup

For an all-in-one Cloudify Manager, just the host’s public key certificate is needed alongside its associated CA certificate and private key.

Replacing certificates

Replacement of the certificates may be required as a result of regulatory compliance demand, certificate expiration, or revocation due to security breach. Follow the procedure described in the Replacing Certificates guide when certificates’ replacement is required.