|
Size: 2076
Comment:
|
Size: 2314
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
{{{#!highlight bash #!/bin/sh if [ ! -e /etc/ssl/glusterfs ] then mkdir -p /etc/ssl/glusterfs fi cd /etc/ssl/glusterfs # create the server keys openssl genrsa -out gluster01.key 2048 openssl genrsa -out gluster02.key 2048 openssl genrsa -out gluster03.key 2048 openssl genrsa -out gluster04.key 2048 # sign the server certificates openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem # create the client keys openssl genrsa -out glusterclient01.key 2048 # sign the client certificates openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem # server certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca # client certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca }}} |
|
| Line 38: | Line 4: |
| Keep your keys safe. I personally generate my keys on a special server which is only powered up when i need to make a new key or sign a certificate. Otherwise that system is always powered down. This way i can be sure that my keys are safe. | |
| Line 63: | Line 30: |
{{{#!highlight bash #!/bin/sh if [ ! -e /etc/ssl/glusterfs ] then mkdir -p /etc/ssl/glusterfs fi cd /etc/ssl/glusterfs # create the server keys openssl genrsa -out gluster01.key 2048 openssl genrsa -out gluster02.key 2048 openssl genrsa -out gluster03.key 2048 openssl genrsa -out gluster04.key 2048 # sign the server certificates openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem # create the client keys openssl genrsa -out glusterclient01.key 2048 # sign the client certificates openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem # server certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca # client certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca }}} |
GlusterFS Encryption
Keys
Keep your keys safe. I personally generate my keys on a special server which is only powered up when i need to make a new key or sign a certificate. Otherwise that system is always powered down. This way i can be sure that my keys are safe.
On each of the Glusterfs servers and clients run.
mkdir /etc/ssl/glusterfs cd /etc/ssl/glusterfs openssl genrsa -out glusterfs.key 2048
Certificates
Now sign certificates using those keys. Replace the CN so it matches the host you are siging the certificate for.
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
Compile
Compile all the certificates into one large file
scp gluster01:/etc/ssl/glusterfs/gluster.pem gluster01.pem scp gluster02:/etc/ssl/glusterfs/gluster.pem gluster02.pem scp gluster03:/etc/ssl/glusterfs/gluster.pem gluster03.pem scp gluster04:/etc/ssl/glusterfs/gluster.pem gluster04.pem scp glusterclient01:/etc/ssl/glusterfs/gluster.pem glusterclient01.pem cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs.ca
1 #!/bin/sh
2 if [ ! -e /etc/ssl/glusterfs ]
3 then
4 mkdir -p /etc/ssl/glusterfs
5 fi
6
7 cd /etc/ssl/glusterfs
8
9 # create the server keys
10 openssl genrsa -out gluster01.key 2048
11 openssl genrsa -out gluster02.key 2048
12 openssl genrsa -out gluster03.key 2048
13 openssl genrsa -out gluster04.key 2048
14 # sign the server certificates
15 openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
16 openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
17 openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
18 openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
19
20 # create the client keys
21 openssl genrsa -out glusterclient01.key 2048
22
23 # sign the client certificates
24 openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
25
26 # server certificates authorities
27 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca
28 # client certificates authorities
29 cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca