Documentation Home
MySQL Cluster Manager 9.0 User Manual
Related Documentation Download this Manual
PDF (US Ltr) - 1.3Mb
PDF (A4) - 1.3Mb


5.7.1 The create certs Command

create certs [--ca|--keys] [--added] cluster_name

The command creates all certificate authorities (CAs), keys, and certificate files needed for a cluster to use TLS connections on all hosts in the site.

The --ca option limits the command to only create the CA key and certificate

The --keys option limits the command to only create the keys and certificates for all nodes.

The --added option limits the command to only create CAs and API certificates for recently added hosts and nodes. A CA and key must be present on at least one host in the site for the --added option to work.

The host with the client connection runs ndb_sign_keys to create the CA in the cluster's default certificate directory, <mcm_data>/clusters/<cluster_name>/certs, and the CA is distributed over the site. To allow secure CA distribution across the MCM site, the mcmd agent connections must be encrypted (see Section 4.10, “Using Encrypted Connections for MySQL Cluster Manager Agents and Clients” for details).

Certificates are created for every host using the available CA. The CA and certificates are created using the default CA and certificate file names defined on the NDB Cluster. The certificates are created in two locations:

  • An agent, and any NDB tools that it spawns, uses an API certificate from the cluster's default certificate directory, which must be present on all hosts in the site.

  • A cluster process uses the certificate from the process as specified by the ndb_mgm --ndb-tls-search-path option.

The command creates both sets of certificates—the API certificate in the cluster's default certificate folder, and a single certificate/key pair for each process in the process' certificate directories. If multiple processes use the same certificate type and share the same certificate directory on the same file system, only a single instance of the certificate will be created. Creation of subsequent certificates of the same type at the same location is skipped.

The command fails if any of the following conditions is true:

  • A CA already exists when creating the CA.

  • A certificate already exists when creating the certificate.

  • All hosts are not present.

Limitations: The following limitations apply for the command:

  • If multiple hosts share the same network-mounted certificate directory, the certificates embedded hostnames may be incorrect.

  • No actions are taken on the certificate folders or certificate files created by the command on delete cluster --removedirs.