In versions 10.0.1 or later, Vertica provides In-Database Cryptographic Key
and Certificate Management, which allows database administrators to manage keys
and certificates in Vertica. Use the following operations to create a self-signed key:
- Generate the server key (private key). The following generates a 2048bit
RSA private key.
CREATE KEY server_key TYPE 'RSA' LENGTH 2048;
- You can see the generated private key in the cryptographic_keys table.
SELECT name, type, length, key FROM cryptographic_keys WHERE name = 'server_key';
name | type | length | key
------------+------+--------+---------------------------------
server_key | RSA | 2048 | -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtTQfGE8yXzz9vkz399oovOwOm2vq1iZlkbclJ7+xqdv0hCkU
.....
ip2TYY4qjRg7QE6Zzzv3eGauAIG0SxT19rfvUOnWlQ5/N/UceXC7
-----END RSA PRIVATE KEY-----
- Create a self-signed CA certificate.
CREATE CA CERTIFICATE ca_cert
SUBJECT '/C=IN/ST=UP/L=IN/O=OT/OU=OT/CN=Vertica Root CA'
VALID FOR 365
EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica generated root CA cert'
KEY server_key;
- You can also see the generated certificate in certificates table.
SELECT name, expiration_date, subject, serial, certificate_text FROM certificates WHERE name = 'ca_cert';
-[ RECORD 1 ]----+-------------------------------------------------------------------------------------
name | ca_cert
expiration_date | 2022-03-12 08:18:32+09
subject | C = country_code, ST = state_or_province, L = locality, O = organization, OU = org_unit, CN = Vertica Root CA
serial | 02:BB:83:5D:4A:90:02:E1:4C:A1:9E:C3:07:D3:55:EB:F2:C3:FF:69
certificate_text | -----BEGIN CERTIFICATE-----
MIIEFzCCAv+gAwIBAgIUAruDXUqQAuFMoZ7DB9NV6/LD/2kwDQYJKoZIhvcNAQEL
.....
UW6DAcSHlDpT4+5b6L/HznN/Y/SNxUiftWXS1cUaRKJmtMIkoGPo4bGVDQ==
-----END CERTIFICATE-----
- Generate and sign the server certificate with the self-signed CA
certificate.
CREATE CERTIFICATE server_crt
SUBJECT '/C=IN/ST=UP/L=IN/O=OT/OU=OT/CN=vertica-64/emailAddress=vgarg@opentext.com'
SIGNED BY ca_cert
EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsCertType' = 'server',
'extendedKeyUsage' = 'serverAuth',
'subjectAltName' = 'DNS.1:vertica-64,IP:10.20.73.64'
KEY server_key;
- =>
SELECT name, expiration_date, subject, serial, certificate_text FROM certificates WHERE name = 'server_crt';
-[ RECORD 1 ]-----+---------------------------------------------------------------------------------------------------------------------
name | server_crt
expiration_date | 2022-03-22 08:36:17+09
subject | C = country_code, ST = state_or_province, L = locality, O = organization, OU = org_unit, CN = verticadb, emailAddress = verticadb@vertica.com
serial | 70:9B:BA:83:EE:8E:7F:DA:A3:F4:6C:E8:18:06:66:25:98:98:AB:17
certificate_text | -----BEGIN CERTIFICATE-----
MIIENDCCAxygAwIBAgIUcJu6g+6Of9qj9GzoGAZmJZiYqxcwDQYJKoZIhvcNAQEL
.....
BtLYa+Dv8Fm2Eg68x+6iYT9usSVSWTQB
-----END CERTIFICATE-----
Configure Vertica to enable
TLS server encryption
a. Vertica Version 11.0 or
Later
In versions 11.0 or later, Vertica implements TLS CONFIGURATION objects,
which manages the TLS configuration for Vertica.
1. Set the server certificate.
ALTER TLS CONFIGURATION server CERTIFICATE server_crt;
2. Enable the use of TLS on connections to the database.
ALTER TLS CONFIGURATION server TLSMODE 'ENABLE';
3. Check that the configurations were set correctly.
SELECT * FROM tls_configurations WHERE name = 'server';
name | owner | certificate | ca_certificate | cipher_suites | mode
--------+---------+-------------+----------------+---------------+--------
server | dbadmin | server_crt | | | ENABLE
4. Verify TLS connection from vsql.
$ vsql
Welcome to vsql, the Vertica Analytic Database interactive terminal.
Type: \h or \? for help with vsql commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, protocol: TLSv1.2)
Export the Certificate
$ vsql -At -c
"SELECT key FROM cryptographic_keys WHERE name = 'server_key';"
-o server.key
$ vsql -At -c
"SELECT certificate_text FROM certificates WHERE name = 'server_crt';"
-o server.crt
$ vsql -At -c
"SELECT certificate_text FROM certificates WHERE name = 'ca_cert';"
-o ca.crt