Related

Marketplace Node.js on DigitalOcean Marketplace
ERR_CONNECTION_TIMED_OUT in node.js Using Centos 7 Question Question
Can not run my nodejs project Helloworld on Centos 7 Question Question

Question

How do I set up multiple ssl certs for inter node/droplet communications via node tls.

Posted September 7, 2017 1.5k views
CentOSNode.js

I am building a micro-services project that uses node’s tls for inter-service / droplet communication between the various micro services of the overall application. My issue is that I am unsure as to how the various ssl certs / keys need to be created & distributed so that any micro service within the application can communicate with any other micro service within the application using the node tls module.
E.G:
Do I have one private key for each micro service & distribute its public key counterpart to each of the other micro services?
Can I create one ‘master’ private key & distribute this & its public key counterpart to other micro services?

From what I have learned so far I will be creating a certificate authority (CA) using openssl on one droplet/service. All other certificates will be created/signed from this CA.

Any help or suggestions would be gratefully appreciated.

Thanks in advance, Jonathan

Add a comment
Dabnis
By:
Dabnis
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
kamaln7 September 8, 2017

I’m not very familiar with this subject myself and only have some basic knowledge about it. Also, it all really depends on how your microservice infrastructure is set up and how connections are made. But, once you create your CA, you can use its public certificate to validate any certificates that are signed by it.

So all of your nodes would have the CA’s public certificate and their own cert/key pair. Whenever a connection is made from another service, you would validate the public certificate that you receive, make sure it really was signed by your CA and is therefore trusted, and then use it to encryption any traffic/communication with the said service. The same is done on the other end.

Hashicorp’s Vault is an interesting project that can also handle PKI.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help