How do I set up multiple ssl certs for inter node/droplet communications via node tls.

I am building a micro-services project that uses node’s tls for inter-service / droplet communication between the various micro services of the overall application. My issue is that I am unsure as to how the various ssl certs / keys need to be created & distributed so that any micro service within the application can communicate with any other micro service within the application using the node tls module. E.G: Do I have one private key for each micro service & distribute its public key counterpart to each of the other micro services? Can I create one ‘master’ private key & distribute this & its public key counterpart to other micro services?

From what I have learned so far I will be creating a certificate authority (CA) using openssl on one droplet/service. All other certificates will be created/signed from this CA.

Any help or suggestions would be gratefully appreciated.

Thanks in advance, Jonathan


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I’m not very familiar with this subject myself and only have some basic knowledge about it. Also, it all really depends on how your microservice infrastructure is set up and how connections are made. But, once you create your CA, you can use its public certificate to validate any certificates that are signed by it.

So all of your nodes would have the CA’s public certificate and their own cert/key pair. Whenever a connection is made from another service, you would validate the public certificate that you receive, make sure it really was signed by your CA and is therefore trusted, and then use it to encryption any traffic/communication with the said service. The same is done on the other end.

Hashicorp’s Vault is an interesting project that can also handle PKI.