Configure Client Certificates

Couchbase Server supports client-authentication by means of X.509 certificates.

Couchbase Client Authentication

Couchbase clients can authenticate by means of X.509 certificates. This page provides step-by-step instructions for the creation of client certificates for:

Couchbase Server. The certificate can be used by a Couchbase Server-cluster that wishes to secure its connection to another Couchbase Server-cluster. This certificate might be used by a source cluster that wishes to perform Cross Data Center Replication securely, to a destination cluster.
Java Applications. A Java application based on the Couchbase SDK can obtain its client certificate from a Java keystore, and so authenticate with Couchbase Server securely.

For a list of Couchbase-Server ports that provide secure connectivity to clients, see Connectivity.

Configure Client Certificates for Couchbase Server

The section contains two procedures for the creation of a client certificate and key, whereby authentication with Couchbase Server can be performed:

Client Access: Root-Certificate Authorization shows how to create a client certificate that is authorized by a cluster’s root certificate. The procedure for creating a root certificate (and, based on the root certificate, the cluster’s individual per node certificates), is provided in Cluster Protection with Root and Node Certificates. The instructions on the current page assume that that procedure has already been followed: therefore, they duly make use of the previously created directory structure and files.

Note that in Couchbase Server Version 7.1 and later, multiple root certificates can be uploaded into the cluster, some potentially to be used for client authentication only; and therefore not to be used for the signing of node certificates. Therefore, a client no longer needs to base its authority on a CA that is being used to protect the server: however, the CA it uses must be recognizable to the cluster; and as such, must be a root certificate uploaded into the cluster’s trust store. For an overview, see Using Multiple Root Certificaes.
Client Access: Intermediate-Certificate Authorization shows how to create a client certificate that is authorized by an intermediate certificate; which derives its own authority from a root certificate; and which is used instead of the root for the signing of the client certificate. The procedure for creating a root, server-intermediate and per node certificates is provided in Cluster Protection with Root, Intermediate, and Node Certificates. The instructions on the current page assume that that procedure has already been followed: therefore, they duly make use of the previously created directory structure and files.

Both procedures additionally assume that the instance of Couchbase Server to be accessed by the client:

Contains the sample bucket travel-sample: this is the bucket whose contents the client wishes to read and write. For information on sample buckets and how to install them, see Sample Buckets.
Has a defined, locally authenticated user named clientuser, who has been assigned a role that permits reading and writing to the travel-sample bucket. For information on creating users and roles, see Manage Users and Roles.
Has client-certificate handling configured as either enabled or mandatory. For details, see Enable Client-Certificate Handling.

Note that additional information on file-types can be found in the procedures for server-certificate generation; in Configure Server Certificates.

Client Access: Root-Certificate Authorization

Proceed as follows:

Within the top-level directory created in Cluster Protection with Root and Node Certificates, create and access a new working directory.
```
cd servercertfiles
mkdir clientcertfiles
cd clientcertfiles
```
Create an extensions file for the use of all clients.
```
cat > client.ext <<EOF
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature
EOF
```
This specifies a value of FALSE for CA, indicating that the client certificate will not have the ability to act as an authority for other certificates. Its extendedKeyUsage is specified as clientAuth, indicating that the certificate will be used for authenticating a client. It keyUsage is specified as digitalSignature, indicating that its public key is usable for data-origin authentication.

This extensions file thus contains definitions judged appropriate for all clients. Further constraints can be added for individual clients, as necessary.
Create a client private key.
```
openssl genrsa -out ./travel-sample.key 2048
```
This creates the private key travel-sample.key.
Generate the client-certificate signing-request.
```
openssl req -new -key ./travel-sample.key -out ./travel-sample.csr -subj "/CN=clientuser"
```
The client’s private key, travel-sample.key is provided as input for the signing request. The Common Name provided as Subject for the certificate is specified as clientuser, which is the name of the server-defined user to be authenticated by the client. The output request-file, travel-sample.csr is saved in the current directory.
Optionally, customize a client extensions file, to identify a username to be authenticated.

As described in Specifying Usernames for Client-Certificate Authentication, a client certificate should contain a username, against which authentication can be performed on Couchbase Server. The server’s default handling assumes that the Subject Common Name specifies the username. However, a Subject Alternative Name might be used; either in addition, or as an alternative.

The following subjectAltName statement allows an email address to be specified as the basis for the username.
```
cp ./client.ext ./client.ext.tmp

echo "subjectAltName = email:john.smith@mail.com" \
>> ./client.ext.tmp
```
If Couchbase Server is configured to search for an email address to be used as a username (as described in Specifying Usernames for Client-Certificate Authentication and Enable Client-Certificate Handling), the user john.smith will be submitted for authentication.

If this extension is not added, and Couchbase Server client-certificate handling is left at its default, the Common Name (which was specified as clientuser, when the client-certificate signing-request was generated) will continue to be used as the username.
Create the client certificate. In this example, the customized extensions file, client.ext.tmp, is used. However, if no email address or other Subject Alternative Name has been added, the generic client-extensions file, client.ext, can be used instead.
```
openssl x509 -CA ../ca.pem -CAkey ../ca.key \
-CAcreateserial -days 365 -req -in ./travel-sample.csr \
-out ./travel-sample.pem -extfile ./client.ext.tmp
```
The root certificate for the cluster, and its corresponding private key, ca.pem and ca.key are specified as inputs for certificate generation, so establishing the root certificate’s authority, within the client certificate. The output file, travel-sample.pem, is the client certificate, and is saved in clientcertfiles.

The confirmatory output is as follows:
```
Signature ok
subject=/CN=clientuser
Getting CA Private Key
```
This concludes the process. The client can now use travel-sample.pem to authenticate itself as having the authority of ca.pem (which is shared by the server it intends to access); and provides the username of clientuser (which the server associates with a role appropriate for access to the travel-sample bucket). The client key, travel-sample.key, can be used for digital signing.

A possible use case for the client certificate thus generated is described below, in Using Client and Server Certificates for Secure XDCR.

Client Access: Intermediate-Certificate Authorization

The following procedure demonstrates how an intermediate certificate, with the authority of the root certificate, can be created in order itself to sign client certificates. The procedure assumes that the server-equivalent procedure described in Cluster Protection with Root, Intermediate, and Node Certificates has already been followed; and that the resulting directory-structure is still available.

Proceed as follows:

Access the servercertfiles2/root directory, created in Cluster Protection with Root, Intermediate, and Node Certificates.
```
cd servercertfiles2/root
```
Create an encrypted private key and a certificate signing request, for an intermediate certificate that is to be used for signing client certificates.
```
openssl req -new -sha256 -newkey rsa:2048 -keyout ../clients/int.key \
-out reqs/client-signing.csr \
-subj '/C=UA/O=MyCompany/OU=People/CN=ClientSigningCA'
```
Since this specifies that an encrypted private key be created, prompts appear requesting entry of an appropriate pass phrase. Enter an appropriate phrase against the prompts.

This new private key is named ../clients/int.key. The signing-request file is saved as reqs/client-signing.csr.
Create the intermediate certificate to be used for client-certificate signing.
```
openssl x509 -CA ca.pem -CAkey ca.key -CAcreateserial -CAserial serial.srl \
-days 3650 -req -in reqs/client-signing.csr -out issued/client-signing.pem \
-extfile int.ext
```
The root certificate and key for the cluster, ca.pem and ca.key, are specified as the authority for the intermediate certificate. Since ca.key is an encrypted key, a prompt appears, requesting that the appropriate pass phrase be entered: enter the appropriate phrase.

Note that the extension file used here to constrain the capabilities of the intermediate certificate is that created in Cluster Protection with Root, Intermediate, and Node Certificates.
Save the intermediate certificate as the certificate-authority for the client certificate that is to be created.
```
cp issued/client-signing.pem ../clients/int.pem
```
Within the ../clients directory, create an extension file for the client certificate:
```
cd ../clients

cat > client.ext <<EOF
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature
EOF
```
The value of extendedKeyUsage is specified as clientAuth, indicating that the certificate will be used to authenticate a client. The value of keyUsage is specified as digitalSignature, indicating that the certificate may be used in the verifying of information-origin.
Create a private key for the client certificate.
```
openssl genrsa -out private/clientuser.key 2048
```
Create a certificate signing request for the client certificate.
```
openssl req -new -key private/clientuser.key -out reqs/clientuser.csr \
-subj "/C=UA/O=MyCompany/OU=People/CN=clientuser"
```
The signing request is based on the private key clientuser.key. The username associated with the certificate is specified as clientuser: this is the username to be recognized by Couchbase Server, and associated with specific roles.
Create the client certificate.
```
openssl x509 -CA int.pem -CAkey int.key -CAcreateserial -CAserial serial.srl \
-days 365 -req -in reqs/clientuser.csr \
-out issued/clientuser.pem -extfile client.ext
```
This creates the client certificate clientuser.pem, based on the signing request clientuser.csr, and signed with the authority of the intermediate certificate and key, int.pem and int.key. Since int.key is encrypted, a prompt appears, requesting entry of the appropriate pass phrase: enter the appropriate phrase against the prompt. The certificate is saved in the issued folder.
Check the validity of the client certificate. The following use of the openssl command verifies the relationship between the root certificate, the client-intermediate certificate, and the client certificate.
```
openssl verify -trusted ../root/ca.pem -untrusted int.pem \
issued/clientuser.pem
```
If the certificate is valid, the following output is displayed:
```
issued/clientuser.pem: OK
```
Concatenate the issued client certificate with the client-intermediate certificate, to establish the chain of authority.
```
cat issued/clientuser.pem int.pem > clientuser.pem
```
The result of the concatenation, clientuser.pem is the completed client certificate.

Using Client and Server Certificates for Secure XDCR

Examples of using the certificates and keys created on this page above and in Configure Server Certificates can be found in the documentation provided for securing Cross Data Center Replication, in Specify Root and Client Certificates, and Client Private Key. When securing XDCR according to these instructions, use the following files:

If the procedures explained in Cluster Protection with Root and Node Certificates and Client Access: Root-Certificate Authorization have been followed, specify:
- The remote cluster root certificate as servercertfiles/ca.pem.
- The client certificate as servercertfiles/clientcertfiles/travel-sample.pem.
- The client private key as servercertfiles/clientcertfiles/travel-sample.key.
If the procedures explained in Cluster Protection with Root, Intermediate, and Node Certificates and Client Access: Intermediate-Certificate Authorization have been followed, specify:
- The remote cluster root certificate as servercertfiles2/root/ca.pem.
- The client certificate as servercertfiles2/clients/clientuser.pem.
- The client private key as servercertfiles2/clients/private/clientuser.key.

Configure Client Certificates for Java Clients

A Java client uses a keystore to access the certificates it requires for authentication. Certificate and keystore preparation is demonstrated by the procedures in the following two sections, which are:

Java Client Access: Root-Certificate Authorization. This creates a Java-client certificate signed by the cluster’s root certificate. As such, the procedure follows on from the server-certificate creation-process documented in Cluster Protection with Root and Node Certificates; and makes use of the directories and keys created there.
Java Client Access: Intermediate-Certificate Authorization. This creates a Java-client certificate signed by the cluster’s intermediate certificate. As such, the procedure follows on from the server-certificate creation-process documented in Cluster Protection with Root, Intermediate and Node Certificates; and makes use of the directories and keys created there.

Note that the assumptions specified for the examples above likewise apply to the Java client examples below.

Java Client Access: Root-Certificate Authorization

Proceed as follows:

Access the main working directory created in Cluster Protection with Root and Node Certificates, and create and access a new working directory for the Java client certificate to be created.
```
cd servercertfiles
mkdir javaclient
cd javaclient
```
Define two environment variables: one for the name of the keystore to be created, another for its password.
```
export KEYSTORE_FILE=my.keystore
export STOREPASS=storepass
```
If necessary, install a package containing the keytool utility:
```
sudo apt install openjdk-11-jre-headless
```
Note that available packages can be found by means of sudo apt-cache search openjdk.
Generate the keystore. Note that the password you specify for the alias, by means of the --keypass flag, must be identical to the password you specify for the keystore, by means of the --storepass flag. In this case, both passwords are specified as ${STOREPASS}; which resolves to storepass.
```
keytool -genkey -keyalg RSA -alias selfsigned \
-keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -validity 360 \
-keysize 2048 -noprompt  -dname "CN=clientuser, OU=People, O=MyCompany, \
L=None, S=None, C=UA" -keypass ${STOREPASS}
```
Note that the Common Name for the certificate is specified as clientuser, which is the username established on Couchbase Server, whose role-assignment is supportive of reading and writing data to the travel-sample bucket.
Generate the certificate signing-request:
```
keytool -certreq -alias selfsigned -keyalg RSA -file my.csr \
-keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -noprompt
```
This creates the signing-request file, my.csr.

Note that in this example, although only the Common Name is being used to establish the identity of the user seeking authorization, one or more Subject Alternative Names could also be added. For example, by adding -ext "san=email:john.smith@mail.com" to the certificate signing-request used in the current step, the email-address john.smith@mail.com could be established as the basis for an alternative username to be submitted for authentication. See Specifying Usernames for Client-Certificate Authentication, for more information.
Generate the client certificate, signing it with the root private key, and thereby establishing the root certificate’s authority:
```
openssl x509 -req -in my.csr -CA ../ca.pem \
-CAkey ../ca.key -CAcreateserial -out clientcert.pem -days 365
```

Add the root certificate to the keystore:

keytool -import -trustcacerts -file ../ca.pem \
-alias root -keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -noprompt

Add the client certificate to the keystore:

keytool -import -keystore ${KEYSTORE_FILE} -file clientcert.pem \
-alias selfsigned -storepass ${STOREPASS} -noprompt

This concludes preparation of the Java client’s keystore. Copy the file (in this case, my.keystore) to a location on a local filesystem from which the Java client can access it. A sample Java program, which accesses a keystore from a local filesystem, is provided in Authenticating a Java Client by Certificate.

Java Client Access: Intermediate-Certificate Authorization

Proceed as follows:

Access the main working directory created in Cluster Protection with Root, Intermediate, and Node Certificates, and create and access a new working directory for the Java client certificate to be created.
```
cd servercertfiles2
mkdir javaclient
cd javaclient
```
Define two environment variables: one for the name of the keystore to be created, another for its password:
```
export KEYSTORE_FILE=my.keystore
export STOREPASS=storepass
```
If necessary, install a package containing the keytool utility:
```
sudo apt install openjdk-11-jre-headless
```
Generate the keystore. Note that the password you specify for the alias, by means of the --keypass flag, must be identical to the password you specify for the keystore, by means of the --storepass flag. In this case, both passwords are specified as ${STOREPASS}; which resolves to storepass.
```
keytool -genkey -keyalg RSA -alias selfsigned \
-keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -validity 360 \
-keysize 2048 -noprompt  -dname "CN=clientuser, OU=People, O=MyCompany, \
L=None, S=None, C=UA" -keypass ${STOREPASS}
```
Note that the Common Name for the certificate is specified as clientuser, which is the username established on Couchbase Server, whose role-assignment is supportive of reading and writing data to the travel-sample bucket.

Generate the certificate signing-request:

keytool -certreq -alias selfsigned -keyalg RSA -file my.csr \
-keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -noprompt

Generate the client certificate, signing it with the intermediate private key, and thereby establishing the intermediate certificate’s authority:
```
openssl x509 -req -in my.csr -CA ../servers/int.pem \
-CAkey ../servers/int.key -CAcreateserial -out clientcert.pem -days 365
```
Since the intermediate private key was encrypted, a prompt now appears, requesting entry of the pass phrase for the key:
```
Enter pass phrase for ../servers/int.key:
```
Enter the pass phrase against the prompt.

Add the root certificate to the keystore:

keytool -import -trustcacerts -file ../root/ca.pem \
-alias root -keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -noprompt

Add the intermediate certificate to the keystore:

keytool -import -trustcacerts -file ../servers/int.pem \
-alias root2 -keystore ${KEYSTORE_FILE} -storepass ${STOREPASS} -noprompt

Add the client certificate to the keystore:

keytool -import -keystore ${KEYSTORE_FILE} -file clientcert.pem \
-alias selfsigned -storepass ${STOREPASS} -noprompt

Securing Client Access with TLS

For an application to communicate securely with Couchbase Server, SSL/TLS must be enabled on the client side. Enablement requires a copy of the root certificate used by Couchbase Server: this can be accessed from the Couchbase Web Console, as described in Root Certificate.

Note that if, at some point, the root certificate gets regenerated on the server-side, a copy of the new version must be obtained, and the client re-enabled.