Hi,
I am following Configure Server Certificates | Couchbase Docs for enabling certificate based authentication.
But I am not able to enable it correctly.
I have changed the Required client certificate as Mandatory but the prefix and delimeter is left blank.
This way the Certificate based client is able to connect to couchbase as well as the password based client is also able to connect. I need to stop the password based authentication totally.
The steps are as :
$ mkdir servercertfiles
$ cd servercertfiles
$ mkdir -p {public,private,requests}
$ openssl genrsa -out ca.key 2048
$ openssl req -new -x509 -days 3650 -sha256 -key ca.key -out ca.pem -subj “/CN=Couchbase Root CA”
$ openssl genrsa -out private/couchbase.default.svc.key 2048
$ openssl req -new -key private/couchbase.default.svc.key -out requests/couchbase.default.svc.csr -subj “/CN=Couchbase Server”
$ cat > server.ext <<EOF
basicConstraints=CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature,keyEncipherment
EOF
$ cp ./server.ext ./server.ext.tmp
$ echo “subjectAltName = DNS:node2.cb.com,IP:127.0.0.1”>> ./server.ext.tmp
$ openssl x509 -CA ca.pem -CAkey ca.key -CAcreateserial -days 365 -req -in requests/couchbase.default.svc.csr -out public/couchbase.default.svc.pem -extfile server.ext.tmp
Signature ok
subject=CN = Couchbase Server
Getting CA Private Key
$ cd ./public
$ mv couchbase.default.svc.pem chain.pem
$ cd …/private
$ mv couchbase.default.svc.key pkey.key
$ cd …/…
$ cd servercertfiles
$ mkdir javaclient
$ cd javaclient
$ export KEYSTORE_FILE=my.keystore
$ export STOREPASS=amit1234
$ keytool -genkey -keyalg RSA -alias selfsigned -keystore ${KEYSTORE_FILE} -storepass
${STOREPASS} -validity 360 -keysize 2048 -noprompt -dname “CN=amittest1 , OU=People, O=MyCompany,L=None, S=None, C=UA” -keypass ${STOREPASS}
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 360 days
for: CN=amittest1, OU=People, O=MyCompany, L=None, ST=None, C=UA
$ keytool -certreq -alias selfsigned -keyalg RSA -file my.csr -keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -noprompt
$ openssl x509 -req -in my.csr -CA …/ca.pem -CAkey …/ca.key -CAcreateserial -out clientcert.pem -days 365
Signature ok
subject=C = UA, ST = None, L = None, O = MyCompany, OU = People, CN = amittest1
Getting CA Private Key
$ ls
clientcert.pem my.csr my.keystore
I have created a user amittest1 in couchbase with Application Access (on the bucket only)
What value of subject.cn should be used in the couchbase server for clients? How to stop the password based authentication totally?
Can anyone please help here urgently?