Skip to content

TLS client authentication

Jump to bottom
Ole Spaarmann edited this page Mar 15, 2018 · 2 revisions

Introduction

Use TLS client authentication to encrypt the communication to your server and authenticate the client. The Dgraph server assumes that if --tls_on is set, then the server has a cert and key loaded. This would be used to authenticate that the server we are talking to is correct. The flag --tls_client_auth=REQUIREANDVERIFY makes sure that the server requires and verifies a certificate.

Create a self-signed CA & client certificate with OpenSSL

Attention: Make sure that the common name is your server name and don't set a password challenge, email or optional company name.

Generate CA key & certificate

$ openssl genrsa -out MyRootCA.key 2048
$ openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem

Generate server key & certificate signing request

$ openssl genrsa -out MyServer.key 2048
$ openssl req -new -key MyServer.key -out MyServer.csr

Generate server certificate based on our own CA certificate

$ openssl x509 -req -in MyServer.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out MyServer.pem -days 1024 -sha256

Generate client key & certificate signing request

$ openssl genrsa -out MyClient.key 2048
$ openssl req -new -key MyClient.key -out MyClient.csr

Generate client certificate based on our own CA certificate

$ openssl x509 -req -in MyClient.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out MyClient.pem -days 1024 -sha256

We end up with:

MyServer.csr
MyServer.key
MyServer.pem
MyClient.csr
MyClient.key
MyClient.pem
MyRootCA.key
MyRootCA.pem
MyRootCA.srl

(Source)

Configure ExDgraph

If you want to use TLS client authentication you have to set tls_client_auth to true and set cacertfile, certfile and keyfile to the correct paths

config :ex_dgraph, ExDgraph,
  # default port considered to be: 9080
  hostname: 'localhost',
  pool_size: 5,
  max_overflow: 1,
  tls_client_auth: true,
  cacertfile: '/path/to/MyRootCA.pem'
  certfile: '/path/to/MyClient.pem',
  keyfile: '/path/to/MyClient.key'

You also have to provide the respective server certificate and key to the server and start it with the following options:

command: dgraph server --my=server:7080 --memory_mb=2048 --zero=zero:5080 --tls_on --tls_ca_certs=/path/to/cert/in/container/MyRootCA.pem --tls_cert=/path/to/cert/in/container/MyServer.pem --tls_cert_key=/path/to/cert/in/container/MyServer.key --tls_client_auth=REQUIREANDVERIFY
Clone this wiki locally