Securing Communication with TLS Certificates: A Definitive Guide for Couchbase Server (Part 3 of 3)

Understanding TLS within Couchbase Server

In Part 1 and Part 2 of this guide, we explained the history of TLS, the components involved and how it works. In this final 3rd part of the guide we combine this all together and learn how TLS works in Couchbase Server.

Couchbase Cluster Certificates

In Couchbase Server, a cluster certificate ties everything to one or more trusted Certificate Authorities (CAs); it does not directly handle the database encryption. Instead, it establishes a chain of trust for the per-node certificates within the cluster.

All relying parties in Couchbase Server deployment must have the Cluster Certificate installed and trusted. Just like the previous example with the web browser having trusted root CAs, in a Couchbase deployment each Couchbase Server Node and connecting application using one of the SDKs must trust the Cluster Certificate. It is also imported into additional Couchbase Server Clusters that use the cross-datacenter replication (XDCR) feature to replicate data between the clusters securely.

In Couchbase Capella, our Database as a Service (DBaaS) offering, all clusters actually use the same certificate authority, and hence all use the same Cluster Certificate. And, starting in early 2022, all official Couchbase SDKs released since have included, by default, automatic trusting of the Capella Cluster Certificate.

Node Certificates for Network Encryption

Node Certificates and the per-node private keys are the primary component responsible for network encryption in Couchbase Server. The Node Certificates are created by a trusted Certificate Authority (CA) and are signed by the CA’s Private Key (aka the Private Key associated with the Cluster Public Key/Cert).

Here’s the creation process for a Couchbase Node Certificate.

1. A Certificate Signing Request (CSR) is requested to the Certificate Authority with an embedded Node’s Public Key.
2. The Node’s Certificate is created, including the embedded Node Public Key and this is signed using the Cluster Private Key on the CA system itself.
3. The Node Certificate is then provided back to the requestor.

These certificates facilitate secure communication between Couchbase server nodes and enable encrypted connectivity with individual Couchbase server nodes from SDKs. Key points regarding node certificates include:

Node-to-node encryption: Node certificates secure the communication channels between Couchbase server nodes, safeguarding data as it travels within the cluster.

SDK connectivity: When SDKs connect to individual Couchbase server nodes, node certificates ensure that the communication is encrypted, maintaining data confidentiality.

Admin GUI access over HTTPS: By utilizing the node certificate, administrators can securely access the Couchbase Server’s graphical user interface (GUI) through HTTPS.

If we look at an example of how a SDK makes an encrypted connection to a Couchbase Server node, you’ll see the various components at work. I’ve intentionally left out some detail, to keep it somewhat simple.

The SDK will perform these steps with each Couchbase Server Node across the cluster it establishes a TLS connection with.

Example of setting up TLS in Couchbase Server

In this section we’ll setup TLS network encryption on a 3 node Couchbase Server cluster, running version 7.2.0 on Linux hosts. There’s also a 4th Linux host used as the Certificate Authority.

Cluster Private Key + Certificate

This is just a Linux host that has a current version of OpenSSL installed.

First we’ll create a Couchbase template file that will be used later on for the per-node certificates.

Command (no output)

cat > cbserver.ext <<EOF
basicConstraints=CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature,keyEncipherment
EOF

cat > cbserver.ext <<EOF

basicConstraints=CA:FALSE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

extendedKeyUsage=serverAuth

keyUsage = digitalSignature,keyEncipherment

EOF

The next step will be to create the encrypted Cluster Private Key, named cluster_private.key.

Run the following command, you will be prompted for a passphrase to encrypt this key.

The private key will be PKCS8 (PKCS #8) format and encrypted with the very secure 265 bit Advanced Encryption Standard (AES).

Command

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out cluster_private.key

1	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out cluster_private.key

Output

.................................................+++++
....+++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

.................................................+++++

....+++++

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

You can validate it is an encrypted private key, by looking at the start of the file.

Command

head cluster_private.key

1	head cluster_private.key

Output

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI7V+8dCGg42oCAggA

MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAvcj4Z3cB/j2gIudgzhRgSBIIE

0HFbApMtub0oadBYkx7RHPxd4jpILoTJ2nwqYtn79r/fCf1KwwwcWAd6vXOC0EeH

0acalU4ZfMF756CafORL7mfnB7VIw2ht5ObsUpCiYu9cIh8tHK2bipIELKMKfCT3

ljxjOn/AEZIqWy6RmwV375Ri3RONBT+czGIs4FXUA8TY/ZHlOw46yYxpxPefkRLU

H9bfcg8RLqPKfeAOprisHNhmoch0MuU0gS6U0Lt+KvNDWNylIQba94q36FQIE3YW

OVlHkgB2/YCx9BR/ZnWlIK6I/ZrN6Z4u/n9hFY/oYrxj4RIorvJyjeSq52XzVrPd

1bTeZob/MJomNhyeW0SYbUsRV/40N11wzx5tkSftuP8zs9MzP36qspDq56rl3W5H

grKM7c9Dn+BLQbHz4158Wxaxz2CzTsn5IT5Q6BP27StrTGMYeHSAX32D+s313kPw

Now we’ll create the cluster certificate in the PEM x.509 format. In our case the certificate is intended to be self-signed, meaning that it will not be vouched for by any other authority. This means that it can be created directly, based on the existing private key ca.key, without assistance from a third party.

When we create the cluster certificate, valid for 3650 days (10 years), it will have a cluster public key embedded into the certificate which is the corresponding pair of the cluster_private.key made earlier. You will need to provide the passphrase you entered earlier to now decrypt the private key for this command.

Command

openssl req -new -x509 -days 3650 -sha256 -key cluster_private.key -out cluster_cert.pem -subj "/CN=Couchbase Root CA"

1	openssl req -new -x509 -days 3650 -sha256 -key cluster_private.key -out cluster_cert.pem -subj "/CN=Couchbase Root CA"

Output

Enter pass phrase for cluster_private.key:

1	Enter pass phrase for cluster_private.key:

Now we can print out the contents of the new cert file (and also see the public key).

Command

openssl x509 -text -noout -in ./cluster_cert.pem

1	openssl x509 -text -noout -in ./cluster_cert.pem

Output

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7e:a6:19:80:11:8c:b2:12:cc:86:91:bd:9b:df:f1:2f:75:ef:50:07
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Couchbase Root CA
        Validity
            Not Before: Jul 26 12:26:06 2023 GMT
            Not After : Jul 23 12:26:06 2033 GMT
        Subject: CN = Couchbase Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:51:f9:d5:6f:40:06:b3:b5:5b:55:b5:a0:82:
                    2a:73:7a:0d:a8:02:1f:82:24:ed:c7:99:51:0a:d9:
                    f8:09:08:0e:24:e0:34:fe:ef:0f:53:dd:27:19:af:
                    a1:0d:78:14:03:3e:26:2e:c0:44:35:fb:c7:84:57:
                    ad:66:be:95:d4:53:71:8c:24:30:26:46:6e:03:b9:
                    b9:e9:b1:a1:fa:f9:7f:bd:88:f8:03:3e:20:dc:3a:
                    29:dd:0d:2c:a3:0b:8e:22:46:49:ca:56:dc:b7:17:
                    f9:87:12:d2:df:80:b8:35:df:19:4f:0d:f4:b2:9d:
                    02:9e:2c:59:e4:25:98:05:85:cd:e8:64:04:43:1f:
                    79:35:fb:ae:8b:e8:cd:16:24:68:90:9f:32:d5:d3:
                    5f:b0:11:82:3f:a3:7a:83:d8:e2:c5:92:a5:ef:8f:
                    e2:4e:b2:8f:c1:27:04:92:3c:6d:50:88:82:5b:73:
                    e8:17:7b:03:c7:f3:98:71:dd:99:ed:84:f9:37:3a:
                    67:79:d3:fa:6a:a4:2e:69:25:a1:2c:79:39:40:e5:
                    51:2c:57:02:be:c0:d6:43:7f:d5:ce:c9:cb:ee:68:
                    a6:ad:13:17:22:d1:16:8b:08:17:ba:25:80:ce:9a:
                    e8:a5:fc:e9:93:47:c5:a4:70:95:eb:3b:80:39:e7:
                    94:af
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                18:D1:3E:58:0C:99:3D:6D:D4:EB:1A:D5:2F:43:69:89:8C:C0:A3:87
            X509v3 Authority Key Identifier:
                keyid:18:D1:3E:58:0C:99:3D:6D:D4:EB:1A:D5:2F:43:69:89:8C:C0:A3:87
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3f:af:bb:c9:b9:89:82:78:fe:99:e6:49:fe:7b:8d:c4:67:f4:
         62:ff:f7:6d:46:9f:75:17:9e:56:8c:c4:06:71:95:a1:6c:cd:
         d6:ae:06:dd:3f:28:ce:3b:ea:bb:1b:4b:21:26:6b:85:48:5b:
         43:c8:9c:10:ac:3d:4c:e2:62:69:8d:45:9a:5d:f0:d5:14:b7:
         21:9e:00:9a:53:50:22:42:c7:1f:ad:80:68:dd:f3:69:89:9d:
         68:3e:37:62:69:c1:28:62:5a:08:91:98:96:49:64:8b:cc:01:
         4c:7a:cf:c3:ff:cf:04:86:85:fb:2b:cf:ed:89:6c:15:ba:f7:
         8f:03:cb:af:50:f7:10:35:93:3d:29:09:bf:a5:e3:0b:d2:18:
         a2:7b:84:db:40:8a:b7:42:82:1b:ac:c8:8c:f0:d7:4f:45:de:
         b8:76:80:04:66:9b:3f:ed:e9:23:d5:52:51:9a:f8:cc:ad:1a:
         67:8f:a9:d7:45:3f:2a:07:89:5c:7b:fa:b5:73:f5:b0:4d:8d:
         d2:32:66:20:18:30:2e:d1:3e:cb:02:b3:4b:26:6e:25:20:83:
         f6:5b:a9:e8:fd:e2:d5:90:bc:16:65:6d:f9:de:9c:c0:e4:07:
         00:cb:e9:4b:9c:b4:fa:4c:79:c3:2f:3a:e7:e8:43:75:fc:b7:
         51:a5:16:ce

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

7e:a6:19:80:11:8c:b2:12:cc:86:91:bd:9b:df:f1:2f:75:ef:50:07

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN = Couchbase Root CA

Validity

Not Before: Jul 26 12:26:06 2023 GMT

Not After : Jul 23 12:26:06 2033 GMT

Subject: CN = Couchbase Root CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:a6:51:f9:d5:6f:40:06:b3:b5:5b:55:b5:a0:82:

2a:73:7a:0d:a8:02:1f:82:24:ed:c7:99:51:0a:d9:

f8:09:08:0e:24:e0:34:fe:ef:0f:53:dd:27:19:af:

a1:0d:78:14:03:3e:26:2e:c0:44:35:fb:c7:84:57:

ad:66:be:95:d4:53:71:8c:24:30:26:46:6e:03:b9:

b9:e9:b1:a1:fa:f9:7f:bd:88:f8:03:3e:20:dc:3a:

29:dd:0d:2c:a3:0b:8e:22:46:49:ca:56:dc:b7:17:

f9:87:12:d2:df:80:b8:35:df:19:4f:0d:f4:b2:9d:

02:9e:2c:59:e4:25:98:05:85:cd:e8:64:04:43:1f:

79:35:fb:ae:8b:e8:cd:16:24:68:90:9f:32:d5:d3:

5f:b0:11:82:3f:a3:7a:83:d8:e2:c5:92:a5:ef:8f:

e2:4e:b2:8f:c1:27:04:92:3c:6d:50:88:82:5b:73:

e8:17:7b:03:c7:f3:98:71:dd:99:ed:84:f9:37:3a:

67:79:d3:fa:6a:a4:2e:69:25:a1:2c:79:39:40:e5:

51:2c:57:02:be:c0:d6:43:7f:d5:ce:c9:cb:ee:68:

a6:ad:13:17:22:d1:16:8b:08:17:ba:25:80:ce:9a:

e8:a5:fc:e9:93:47:c5:a4:70:95:eb:3b:80:39:e7:

94:af

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

18:D1:3E:58:0C:99:3D:6D:D4:EB:1A:D5:2F:43:69:89:8C:C0:A3:87

X509v3 Authority Key Identifier:

keyid:18:D1:3E:58:0C:99:3D:6D:D4:EB:1A:D5:2F:43:69:89:8C:C0:A3:87

X509v3 Basic Constraints: critical

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

3f:af:bb:c9:b9:89:82:78:fe:99:e6:49:fe:7b:8d:c4:67:f4:

62:ff:f7:6d:46:9f:75:17:9e:56:8c:c4:06:71:95:a1:6c:cd:

d6:ae:06:dd:3f:28:ce:3b:ea:bb:1b:4b:21:26:6b:85:48:5b:

43:c8:9c:10:ac:3d:4c:e2:62:69:8d:45:9a:5d:f0:d5:14:b7:

21:9e:00:9a:53:50:22:42:c7:1f:ad:80:68:dd:f3:69:89:9d:

68:3e:37:62:69:c1:28:62:5a:08:91:98:96:49:64:8b:cc:01:

4c:7a:cf:c3:ff:cf:04:86:85:fb:2b:cf:ed:89:6c:15:ba:f7:

8f:03:cb:af:50:f7:10:35:93:3d:29:09:bf:a5:e3:0b:d2:18:

a2:7b:84:db:40:8a:b7:42:82:1b:ac:c8:8c:f0:d7:4f:45:de:

b8:76:80:04:66:9b:3f:ed:e9:23:d5:52:51:9a:f8:cc:ad:1a:

67:8f:a9:d7:45:3f:2a:07:89:5c:7b:fa:b5:73:f5:b0:4d:8d:

d2:32:66:20:18:30:2e:d1:3e:cb:02:b3:4b:26:6e:25:20:83:

f6:5b:a9:e8:fd:e2:d5:90:bc:16:65:6d:f9:de:9c:c0:e4:07:

00:cb:e9:4b:9c:b4:fa:4c:79:c3:2f:3a:e7:e8:43:75:fc:b7:

51:a5:16:ce

Now we have the Cluster Certificate (cluster_cert.pem), this file needs to be copied to every Couchbase Server Node in the cluster. It also needs to be added to every application where the SDKs operate from as well as any hosts where admins access the UI such as an administrator’s laptop. It’s not a sensitive file and only contains public information.

Node Private Key + CSR

The steps in this section will need to be repeated for each Couchbase Server Node:

- Login to the Couchbase Server Node.
- Run the following commands in a temporary directory, inaccessible to other users on the system.

First let’s create node1’s, node private key, in a PKCS1 (PKCS #1) format

Command

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out cbnode1_private.key

1	openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out cbnode1_private.key

Output

...................................................................................+++++
....+++++

1 2	...................................................................................+++++ ....+++++

Next let’s create the Certificate Signing Request (CSR) for Node1, using the node1 private key. Remembering that a public key will be embedded in the CSR.

Command (No output)

openssl req -new -key cbnode1_private.key -out cbnode1.csr -subj "/CN=Couchbase Server"

1	openssl req -new -key cbnode1_private.key -out cbnode1.csr -subj "/CN=Couchbase Server"

This CSR and its embedded public key can now be viewed and verified.

Command

openssl req -text -noout -verify -in ./cbnode1.csr

1	openssl req -text -noout -verify -in ./cbnode1.csr

Output

verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = Couchbase Server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c6:a3:bd:7e:84:eb:8b:00:47:74:61:f6:68:3f:
                    d7:65:e8:90:7b:cd:ee:47:dd:d0:c4:26:5e:52:10:
                    8c:9e:55:68:dc:c7:01:06:f5:27:82:9a:40:2d:0a:
                    2a:a0:ef:d1:9d:ba:ee:cd:cc:1c:3b:b0:52:ab:bd:
                    03:98:eb:70:9c:53:02:8f:93:05:d9:79:3b:ee:ad:
                    86:dc:49:e2:8d:88:70:d4:80:ad:16:f2:ca:9e:20:
                    82:5c:52:51:7a:6b:e5:82:85:a9:d3:55:4b:61:70:
                    46:34:30:2c:72:8a:49:3f:a5:2e:59:37:58:49:45:
                    ca:63:99:61:c5:14:ff:9b:83:86:45:37:95:54:46:
                    66:68:f3:cc:55:ac:2e:49:17:7d:f8:2f:4d:df:ea:
                    f5:76:f5:b6:72:d6:93:ad:73:6c:64:da:6a:30:5c:
                    8b:c0:d8:94:df:fc:4e:e8:ad:8c:34:40:e9:87:93:
                    99:97:ed:3b:b5:e8:85:19:29:3c:20:d6:3a:0a:46:
                    6e:b4:c3:4b:ca:80:82:05:2b:59:62:6b:99:c9:93:
                    5f:11:f5:96:e1:1c:8c:c3:cd:3c:60:31:0b:40:fc:
                    a6:2f:fc:40:15:71:d7:e5:c6:b0:5c:3c:4b:64:4e:
                    3d:b7:48:e9:59:31:6d:b3:1e:9f:07:9b:5a:bc:bb:
                    cd:df
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         5d:70:22:cd:a9:1b:dc:97:d3:1f:49:e7:d5:ef:4c:c9:f8:5b:
         8e:65:b3:a1:ac:b4:19:cb:ff:3a:39:bc:b8:d2:21:a9:ac:2d:
         b3:78:83:fa:26:8d:b3:26:20:83:12:a6:fd:93:23:dc:4f:ee:
         59:2f:64:bd:03:03:51:92:28:e5:55:7d:63:a4:4a:48:80:05:
         01:90:5b:ac:8d:37:d0:7a:80:a5:49:5b:63:b0:44:fd:5d:aa:
         fc:9e:1c:16:78:2b:79:bb:a9:a3:a4:f8:8d:02:db:27:e0:40:
         95:61:fd:2f:f5:e2:67:f5:19:4c:75:77:38:28:ab:c5:70:06:
         c0:14:7c:82:e1:6a:cd:72:bb:f1:98:a5:79:1e:81:94:ca:3d:
         74:62:ef:48:85:d6:79:c9:26:0c:39:a8:50:7a:f0:40:1c:b4:
         5a:c6:2b:06:11:c8:63:7e:a8:0f:0b:0f:92:e3:35:6d:ab:44:
         37:08:b8:7e:4b:4e:f0:14:12:5c:f0:b3:c3:a5:c0:bd:72:dd:
         2e:43:ff:0b:7d:12:f9:46:40:87:16:06:14:00:d6:c4:1f:ae:
         d8:94:ff:cf:06:dc:72:20:ef:8f:5a:b2:0b:a6:cf:69:87:48:
         33:ac:b3:06:a2:5b:d0:16:9f:a0:3b:1d:dc:89:2a:0b:fa:1f:
         fa:3c:22:ed

verify OK

Certificate Request:

Data:

Version: 1 (0x0)

Subject: CN = Couchbase Server

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:c6:a3:bd:7e:84:eb:8b:00:47:74:61:f6:68:3f:

d7:65:e8:90:7b:cd:ee:47:dd:d0:c4:26:5e:52:10:

8c:9e:55:68:dc:c7:01:06:f5:27:82:9a:40:2d:0a:

2a:a0:ef:d1:9d:ba:ee:cd:cc:1c:3b:b0:52:ab:bd:

03:98:eb:70:9c:53:02:8f:93:05:d9:79:3b:ee:ad:

86:dc:49:e2:8d:88:70:d4:80:ad:16:f2:ca:9e:20:

82:5c:52:51:7a:6b:e5:82:85:a9:d3:55:4b:61:70:

46:34:30:2c:72:8a:49:3f:a5:2e:59:37:58:49:45:

ca:63:99:61:c5:14:ff:9b:83:86:45:37:95:54:46:

66:68:f3:cc:55:ac:2e:49:17:7d:f8:2f:4d:df:ea:

f5:76:f5:b6:72:d6:93:ad:73:6c:64:da:6a:30:5c:

8b:c0:d8:94:df:fc:4e:e8:ad:8c:34:40:e9:87:93:

99:97:ed:3b:b5:e8:85:19:29:3c:20:d6:3a:0a:46:

6e:b4:c3:4b:ca:80:82:05:2b:59:62:6b:99:c9:93:

5f:11:f5:96:e1:1c:8c:c3:cd:3c:60:31:0b:40:fc:

a6:2f:fc:40:15:71:d7:e5:c6:b0:5c:3c:4b:64:4e:

3d:b7:48:e9:59:31:6d:b3:1e:9f:07:9b:5a:bc:bb:

cd:df

Exponent: 65537 (0x10001)

Attributes:

a0:00

Signature Algorithm: sha256WithRSAEncryption

5d:70:22:cd:a9:1b:dc:97:d3:1f:49:e7:d5:ef:4c:c9:f8:5b:

8e:65:b3:a1:ac:b4:19:cb:ff:3a:39:bc:b8:d2:21:a9:ac:2d:

b3:78:83:fa:26:8d:b3:26:20:83:12:a6:fd:93:23:dc:4f:ee:

59:2f:64:bd:03:03:51:92:28:e5:55:7d:63:a4:4a:48:80:05:

01:90:5b:ac:8d:37:d0:7a:80:a5:49:5b:63:b0:44:fd:5d:aa:

fc:9e:1c:16:78:2b:79:bb:a9:a3:a4:f8:8d:02:db:27:e0:40:

95:61:fd:2f:f5:e2:67:f5:19:4c:75:77:38:28:ab:c5:70:06:

c0:14:7c:82:e1:6a:cd:72:bb:f1:98:a5:79:1e:81:94:ca:3d:

74:62:ef:48:85:d6:79:c9:26:0c:39:a8:50:7a:f0:40:1c:b4:

5a:c6:2b:06:11:c8:63:7e:a8:0f:0b:0f:92:e3:35:6d:ab:44:

37:08:b8:7e:4b:4e:f0:14:12:5c:f0:b3:c3:a5:c0:bd:72:dd:

2e:43:ff:0b:7d:12:f9:46:40:87:16:06:14:00:d6:c4:1f:ae:

d8:94:ff:cf:06:dc:72:20:ef:8f:5a:b2:0b:a6:cf:69:87:48:

33:ac:b3:06:a2:5b:d0:16:9f:a0:3b:1d:dc:89:2a:0b:fa:1f:

fa:3c:22:ed

Now copy the CSR file, cbnode1.csr, over to the CA system. It only contains public information and is not sensitive.

Create Node Certificates

Login to the CA system, you should now have CSR files for each Couchbase Server Node in the cluster located on the CA system, cbnode1.csr, cbnode2.csr, etc.

For each Couchbase Server Node, you will need to create a template file. The template file created earlier, cbserver.ext, will be customized to each node. Run this command for each Couchbase Server Node, replacing the DNS hostname of the Couchbase Server Node and filename as needed. This will set the Subject Alternative Name (SAN) to match the name of the Couchbase Server Node.

If using hostnames for Couchbase Server, run this command:

Command (no output)

cp cbserver.ext cbnode1.ext && echo "subjectAltName = DNS:node1.cb.acme.com" >> cbnode1.ext

1	cp cbserver.ext cbnode1.ext && echo "subjectAltName = DNS:node1.cb.acme.com" >> cbnode1.ext

Alternatively if using IP addresses without hostnames for Couchbase Server, run this:

Command (no output)

cp cbserver.ext cbnode1.ext && echo "subjectAltName = IP:172.17.0.2" >> cbnode1.ext

1	cp cbserver.ext cbnode1.ext && echo "subjectAltName = IP:172.17.0.2" >> cbnode1.ext

Now you should have template files for each Couchbase Server Node in the cluster, cbnode1.ext, cbnode2.ext, cbnode3.ext, etc..

We will now generate the certificates, valid for 3 months, for each Couchbase Server Node. These will be in a PEM x.509 format. Run this command for each node, changing the filenames. Each time this is run, you will be prompted for your CA passphrase used to encrypt the cluster_private.key earlier.

Command

openssl x509 -CA cluster_cert.pem -CAkey cluster_private.key -CAcreateserial -days 90 -req -in cbnode1.csr -out node1_cert.pem -extfile cbnode1.ext

1	openssl x509 -CA cluster_cert.pem -CAkey cluster_private.key -CAcreateserial -days 90 -req -in cbnode1.csr -out node1_cert.pem -extfile cbnode1.ext

Output

Signature ok
subject=CN = Couchbase Server
Getting CA Private Key
Enter pass phrase for cluster_private.key:

Signature ok

subject=CN = Couchbase Server

Getting CA Private Key

Enter pass phrase for cluster_private.key:

Copy each certificate file off the Certificate Authority to each Couchbase Server Node they belong to. For example, copy node1_cert.pem on to Couchbase Server Node 1 and node2_cert.pem on to Couchbase Server Node 2.

Load the certificates into Couchbase Server

These steps will need to be performed on each Couchbase Server Node

- Cluster Certificate, cluster_cert.pem
- Node’s (Public) Certificate, node1_cert.pem
- Node’s Private Key, cbnode1_private.key

You no longer need the CSR file created earlier.

Now you need to move the files into the correct location, with the correct naming convention for Couchbase Server. Note that the same destination filename is used on each Couchbase Server Node, but each node has unique files for the chain.pem and pkey.key.

Command

mkdir /opt/couchbase/var/lib/couchbase/inbox
mkdir /opt/couchbase/var/lib/couchbase/inbox/CA
mv cluster_cert.pem /opt/couchbase/var/lib/couchbase/inbox/CA/ca.pem
mv node1_cert.pem /opt/couchbase/var/lib/couchbase/inbox/chain.pem
mv cbnode1_private.key /opt/couchbase/var/lib/couchbase/inbox/pkey.key
chown couchbase:couchbase /opt/couchbase/var/lib/couchbase/inbox/pkey.key

mkdir /opt/couchbase/var/lib/couchbase/inbox

mkdir /opt/couchbase/var/lib/couchbase/inbox/CA

mv cluster_cert.pem /opt/couchbase/var/lib/couchbase/inbox/CA/ca.pem

mv node1_cert.pem /opt/couchbase/var/lib/couchbase/inbox/chain.pem

mv cbnode1_private.key /opt/couchbase/var/lib/couchbase/inbox/pkey.key

chown couchbase:couchbase /opt/couchbase/var/lib/couchbase/inbox/pkey.key

Now all the correct files are ready to be imported to the Couchbase Server configuration.

Start by loading in the Cluster Certificate:

Command

curl -X POST http://localhost:8091/node/controller/loadTrustedCAs -u Administrator:password

1	curl -X POST http://localhost:8091/node/controller/loadTrustedCAs -u Administrator:password

Output

[{"id":1,"loadTimestamp":"2023-07-26T15:51:33.000Z","subject":"CN=Couchbase Root CA","notBefore":"2023-07-26T12:26:06.000Z","notAfter":"2033-07-23T12:26:06.000Z","type":"uploaded","pem":"-----BEGIN CERTIFICATE-----\nMIIDGTCCAgGgAwIBAgIUfqYZgBGMshLMhpG9m9/xL3XvUAcwDQYJKoZIhvcNAQEL\nBQAwHDEaMBgGA1UEAwwRQ291Y2hiYXNlIFJvb3QgQ0EwHhcNMjMwNzI2MTIyNjA2\nWhcNMzMwNzIzMTIyNjA2WjAcMRowGAYDVQQDDBFDb3VjaGJhc2UgUm9vdCBDQTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZR+dVvQAaztVtVtaCCKnN6\nDagCH4Ik7ceZUQrZ+AkIDiTgNP7vD1PdJxmvoQ14FAM+Ji7ARDX7x4RXrWa+ldRT\ncYwkMCZGbgO5uemxofr5f72I+AM+INw6Kd0NLKMLjiJGScpW3LcX+YcS0t+AuDXf\nGU8N9LKdAp4sWeQlmAWFzehkBEMfeTX7rovozRYkaJCfMtXTX7ARgj+jeoPY4sWS\npe+P4k6yj8EnBJI8bVCIgltz6Bd7A8fzmHHdme2E+Tc6Z3nT+mqkLmkloSx5OUDl\nUSxXAr7A1kN/1c7Jy+5opq0TFyLRFosIF7olgM6a6KX86ZNHxaRwles7gDnnlK8C\nAwEAAaNTMFEwHQYDVR0OBBYEFBjRPlgMmT1t1Osa1S9DaYmMwKOHMB8GA1UdIwQY\nMBaAFBjRPlgMmT1t1Osa1S9DaYmMwKOHMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI\nhvcNAQELBQADggEBAD+vu8m5iYJ4/pnmSf57jcRn9GL/921Gn3UXnlaMxAZxlaFs\nzdauBt0/KM476rsbSyEma4VIW0PInBCsPUziYmmNRZpd8NUUtyGeAJpTUCJCxx+t\ngGjd82mJnWg+N2JpwShiWgiRmJZJZIvMAUx6z8P/zwSGhfsrz+2JbBW6948Dy69Q\n9xA1kz0pCb+l4wvSGKJ7hNtAirdCghusyIzw109F3rh2gARmmz/t6SPVUlGa+Myt\nGmePqddFPyoHiVx7+rVz9bBNjdIyZiAYMC7RPssCs0smbiUgg/Zbqej94tWQvBZl\nbfnenMDkBwDL6UuctPpMecMvOufoQ3X8t1GlFs4=\n-----END CERTIFICATE-----\n\n","loadHost":"127.0.0.1","loadFile":"/opt/couchbase/va

[{"id":1,"loadTimestamp":"2023-07-26T15:51:33.000Z","subject":"CN=Couchbase Root CA","notBefore":"2023-07-26T12:26:06.000Z","notAfter":"2033-07-23T12:26:06.000Z","type":"uploaded","pem":"-----BEGIN CERTIFICATE-----\nMIIDGTCCAgGgAwIBAgIUfqYZgBGMshLMhpG9m9/xL3XvUAcwDQYJKoZIhvcNAQEL\nBQAwHDEaMBgGA1UEAwwRQ291Y2hiYXNlIFJvb3QgQ0EwHhcNMjMwNzI2MTIyNjA2\nWhcNMzMwNzIzMTIyNjA2WjAcMRowGAYDVQQDDBFDb3VjaGJhc2UgUm9vdCBDQTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZR+dVvQAaztVtVtaCCKnN6\nDagCH4Ik7ceZUQrZ+AkIDiTgNP7vD1PdJxmvoQ14FAM+Ji7ARDX7x4RXrWa+ldRT\ncYwkMCZGbgO5uemxofr5f72I+AM+INw6Kd0NLKMLjiJGScpW3LcX+YcS0t+AuDXf\nGU8N9LKdAp4sWeQlmAWFzehkBEMfeTX7rovozRYkaJCfMtXTX7ARgj+jeoPY4sWS\npe+P4k6yj8EnBJI8bVCIgltz6Bd7A8fzmHHdme2E+Tc6Z3nT+mqkLmkloSx5OUDl\nUSxXAr7A1kN/1c7Jy+5opq0TFyLRFosIF7olgM6a6KX86ZNHxaRwles7gDnnlK8C\nAwEAAaNTMFEwHQYDVR0OBBYEFBjRPlgMmT1t1Osa1S9DaYmMwKOHMB8GA1UdIwQY\nMBaAFBjRPlgMmT1t1Osa1S9DaYmMwKOHMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI\nhvcNAQELBQADggEBAD+vu8m5iYJ4/pnmSf57jcRn9GL/921Gn3UXnlaMxAZxlaFs\nzdauBt0/KM476rsbSyEma4VIW0PInBCsPUziYmmNRZpd8NUUtyGeAJpTUCJCxx+t\ngGjd82mJnWg+N2JpwShiWgiRmJZJZIvMAUx6z8P/zwSGhfsrz+2JbBW6948Dy69Q\n9xA1kz0pCb+l4wvSGKJ7hNtAirdCghusyIzw109F3rh2gARmmz/t6SPVUlGa+Myt\nGmePqddFPyoHiVx7+rVz9bBNjdIyZiAYMC7RPssCs0smbiUgg/Zbqej94tWQvBZl\nbfnenMDkBwDL6UuctPpMecMvOufoQ3X8t1GlFs4=\n-----END CERTIFICATE-----\n\n","loadHost":"127.0.0.1","loadFile":"/opt/couchbase/va

Next load in the Node Certificate and Private Key, and note that no warnings are printed:

Command

curl -X POST http://localhost:8091/node/controller/reloadCertificate -u Administrator:password

1	curl -X POST http://localhost:8091/node/controller/reloadCertificate -u Administrator:password

Output

{"warnings":[]}

1	{"warnings":[]}

You can now use TLS connections to your Couchbase Server Cluster.

Trusting the Cluster Certificate

Admin laptop

Login to an administrator’s laptop. In this case I’m using a Mac, similar steps can be performed for Windows and Linux machines.

Command on MacOS (no output)

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/tmp/cluster_cert.pem"

1	sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/tmp/cluster_cert.pem"

Application SDK

We will use a Java application to connect to Couchbase Server, in this example we’ll point the application to the Cluster Certificate. Another option would be to use the JVM’s cacerts trust store, as the SDK will automatically trust any CAs defined there. Each programming language will have its own preferred way of trusting a CA certificate.

String connectionString = "couchbases://example.com" +
    "?security.trustCertificate=/path/to/cluster_cert.pem";
Cluster cluster = Cluster.connect(connectionString, username, password);

String connectionString = "couchbases://example.com" +

"?security.trustCertificate=/path/to/cluster_cert.pem";

Cluster cluster = Cluster.connect(connectionString, username, password);

Loading up the default encrypted UI address for one of your node’s hostname from an administrator laptop. This should load up without any warnings: https://node1.cb.acme.com:18091/

Likewise, you can make TLS encrypted connections from your application to the database.

Remember to create and deploy new per-node keys/certs before the 90 day expiration by following these steps again.

Advanced TLS Topics

While the steps provided so far will suit most applications, there’s a few additional capabilities that are offered in Couchbase Server for more complex requirements. These are covered in the blog Encrypted Private Keys & Multi-CA, Enterprise Security Enhancements In Couchbase Server 7.1

Multiple Certificate Authorities in Couchbase Server

Instead of including a single certificate as the Cluster Certificate (cluster_cert.pem / ca.pem), multiple certificates can be concatenated together into the file. This is a great option to have redundant Certificate Authorities or to perform migration from one Certificate Authority to another without any downtime.

Encrypted Node Private Keys

Just like we performed on the cluster private key, the private key (pkey.key) that resides on each Couchbase Server Node can also optionally be encrypted with passphrase so that it is only readable by people and systems that have the correct authority to do so.

Conclusion

TLS certificates and their proper configuration are fundamental to establishing secure communications in Couchbase Server. Understanding the role of cluster certificates, the significance of node certificates, and the involvement of Certificate Authorities (CAs) empowers administrators to implement robust security measures. Furthermore, familiarizing oneself with Subject Alternative Names (SAN) enhances flexibility in certificate deployment across multiple domains or subdomains. By following the guidelines presented in this guide, administrators can fortify the security of their Couchbase deployments and safeguard sensitive data from unauthorized access.

Thank you for following along with this series, we hope you enjoyed the guided tour.

Ian McCloy, Director Product Management

Products

See How Capella Stacks Up

See How Capella Stacks Up

By Industry

By Need

Why NoSQL

What is NoSQL and why choose it?

Popular Docs

By Developer Role

Capella Playground

Start A Free Capella Trial

Resource Center

Education

Certification Exams 2023

Get Couchbase certified

About

Partnerships

Our Services

Partners: Register a Deal

Ready to register a deal with Couchbase?

Marriott

Securing Communication with TLS Certificates: A Definitive Guide for Couchbase Server (Part 3 of 3)

Understanding TLS within Couchbase Server

Couchbase Cluster Certificates

Node Certificates for Network Encryption

Example of setting up TLS in Couchbase Server

Cluster Private Key + Certificate

Node Private Key + CSR

Create Node Certificates

Load the certificates into Couchbase Server

Trusting the Cluster Certificate

Admin laptop

Application SDK

Advanced TLS Topics

Multiple Certificate Authorities in Couchbase Server

Encrypted Node Private Keys

Conclusion

Author

Posted by Ian McCloy, Director Product Management

Leave a reply Cancel reply