- You run your own infrastructure.
- You need to use your existing CA infrastructure to manage .
- You need to use the same CA for multiple CockroachDB clusters.
Related functionality
Prior to CockroachDB v24.1, it was only safe to use certificates generated by CAs that placed restrictions on theCommonName field (so that only authorized users could get a cert with CommonName=root, for example). That meant that mapping the certificate principals to IP addresses, DNS names, and SQL users required using , which was first added in v20.1. That approach still works, but is superseded by the functionality described on this page, which should be much easier to use since you do not need to restart nodes when you add or remove users.
The Subject mapping functionality described on this page makes it possible to use CAs that do not place restrictions on the CommonName field but do place restrictions on other subject fields (for example, that every cert has an OU field based on the user that created it).
The only sets the CommonName field in its certificates, so the functionality described in this page is unnecessary. It is not possible to share a single CA managed by cockroach cert across multiple CockroachDB clusters.
Example
This example shows how to set up a mapping between the Subject field of an X.509 certificate and a SQL .Step 1. Create certificates using your infrastructure
These instructions assume that you have already created certificates using your own infrastructure for the following users:- The .
- The .
- Any who needs to authenticate with your cluster. In this example, we will call the user
maxroach.
- The cluster name and SQL user name will generally both appear somewhere in the certificate’s Subject.
- The cluster name will usually go in the
OUorDCfields, and the user name inUIDorCNfields. - For example, the Subject might look like
O=Acme Inc,OU=movr-prod,UID=root.
Step 2. Start your cluster with root and node certificate flags
At cluster startup, you’ll need to pass the flags and . The argument to each flag is a string with a comma separated list of distinguished name (DN) mappings in{attribute-type}={attribute-value} format in accordance with RFC4514. When each of these flags are set, the argument needs to be an exact match with the DN subject in the client certificate provided. By exact match, we mean that the order of attributes in the argument must match the order of attributes in the DN subject in the certificate.
node user in the example above is:
root user.
Step 3. Set the SUBJECT role option using CREATE ROLE or ALTER ROLE to match your certificates
You can associate an X.509 certificate’s Subject with a as shown below. Note that the Subject fields in the certificate have to be an exact match with what you pass in via the SQL statement. By exact match, we mean that the order of attributes passed in via the SQL statement must match the order of attributes in the certificate.
ALTER ROLE... SUBJECT cannot be applied to the root user. You must use cockroach start --root-cert-distinguished-name instead.
Step 4. Enable the cluster setting to require the Subject field in certificates
Once the cluster is started, enable the following :SUBJECT role option set will be unable to log in with certificates.
Regardless of this setting’s value, CockroachDB will verify the following during user authentication provided the Subject options or DN flags or both are set:
- For the
rootuser, that the distinguished name in the certificate Subject matches the distinguished name fields passed in viacockroach start --root-cert-distinguished-name. - For the
nodeuser, that the distinguished name in the certificate Subject matches the distinguished name fields passed in viacockroach start --node-cert-distinguished-name. - For all other SQL users, that the values in the Subject field of the X.509 certificate match the values attached to the user or role with
CREATE ROLE... SUBJECTorALTER ROLE... SUBJECT.

