Setting up TLS
All evitaDB APIs support the secure layer (HTTPS). The gRPC is completely based on the HTTP/2 protocol, which is binary and requires encryption. Because of this fact, all evitaDB external APIs work by default on secure protocol to keep the security uniform.
Used terms
- certificate authority
- the certificate authority is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. source
- certificate
- the certificate is an electronic document used to prove the validity of a public key, and it contains a public key along with a lot of additional information source
- private key
- the private key is a classified part of the public/private key pair - it must never leave the secured perimeter. An entity that proves itself with a private key is considered authentic - a private key is similar to an ID card see more
- public key
- the public key is the second part public/private key pair - it may be freely distributed and its ownership does not entitle to anything, it only serves to prove the authenticity of the private key see more
Creating a certificate
It is possible to divide certificates into two groups according to the certificate signature:
- Certificates signed by a publicly trusted root certificate authority
- Certificates signed by a private certification authority
Publicly trusted certificate authority
Self-signed certificate authority
Creating certificate authority
After running the commands in steps 1 and 2, you must enter a password - if you want an unencrypted certificate without a password, specify the `-nodes' parameter in the command.
Argument | Description |
---|---|
-x509 | produces a x509 certificate - according to a standard that defines the format of digital certificates used in SSL/TLS connections |
-newkey cipher:bits | determines the used cipher and its complexity,
you can list all supported ciphers by command openssl ciphers |
-days | determines the number of days the certificate is valid, when this period expires the certificate is considered invalid and the server and client will refuse to work with it |
-keyout | file name where private keyToggle Term Reference is stored |
-out | file name where certificateToggle Term Reference with public key is stored |
Certificate signing request
Now you are ready for the final step.
Issue signed certificate
You can repeat this command multiple times to generate different certificates both for server side and for each of the clients.
Do not use the same signed certificate for the server and the client! Do not use the same certificate for different clients! Each entity in the communication must be represented (identified) by a different certificate.
If you follow these recommendations, you'll be able to control the rejection of each client separately. If you issue a certificate for a third party client and your contract with them ends, you can easily delete their certificate from the list of allowed client certificates and effectively stop communicating with their client application.
Both the server and the client can be provided with:
- certificate in the format .crt, .cer or .pem
- private key in the format .key or .pem
Argument | Description |
---|---|
-CA | identifies the public part of the certificate authorityToggle Term Reference |
-CAkey | identifies the private keyToggle Term Reference of the certificate authorityToggle Term Reference |
-in | identifies the signing request controlling the operation |
-days | determines the number of days the certificate is valid, when this period expires the certificate is considered invalid and the server and client will refuse to work with it |
-extfile | identifies the file with the domain description |
-out | file name where the generated certificateToggle Term Reference with public key is stored |
Mutual TLS
Examples of attacks prevented:
Default mTLS behaviour (not-secure)
- server certificateToggle Term Reference in server.crt and its private keyToggle Term Reference in server.key files
- client certificateToggle Term Reference in client.crt and its private keyToggle Term Reference in client.key files
When the gRPC client starts and has the following settings (all are defaults):
- useGeneratedCertificate: true
- mtlsEnabled: true
The fingerprint is written to the console output when the server starts - it looks like this:
Recommended mTLS usage (secure)
Yes, you can change the server certificate and valid client certificates without restarting the server. The server periodically checks the timestamps of the last changes to the server certificate and the list of paths configured for client certificates. If either of these files change, the server automatically reloads the new configuration. This allows you to change the server certificate and client certificates without stopping the server.