Details
-
Bug
-
Resolution: Duplicate
-
Major
-
3.0
-
Security Level: Public
-
Untriaged
-
Unknown
Description
The SSL keypairs that are generated by Couchbase Server are self-signed and singular (single certificate shared across all nodes). This means that many TLS libraries will reject any attempts to use these certificates with the server (as the enforce a CommonName match for security). Couchbase Server should instead be generating a CA keypair, and then generate specific keypairs for each node which are signed by that CA. The CA certificate would be distributed to clients which would allow verification of each node's own certificate.
Note that the server should also support importing of a CA keypair to allow customers who already have their own CA to generate a CA that falls within their own certificate chain rather than relying on only the Couchbase generated, self-signed CA.