create certs [--ca|--keys] [--added] cluster_name
The command creates all certificate authorities (CAs), keys, and certificate files needed for a cluster to use TLS connections on all hosts in the site.
The --ca
option
limits the command to only create the CA key and certificate
The --keys
option
limits the command to only create the keys and certificates for
all nodes.
The --added
option
limits the command to only create CAs and API certificates for
recently added hosts and nodes. A CA and key must be present on
at least one host in the site for the
--added
option to work.
The host with the client connection runs
ndb_sign_keys
to create the CA in the cluster's default certificate directory,
<mcm_data>/clusters/<cluster_name>/certs
,
and the CA is distributed over the site. To allow secure CA
distribution across the MCM site, the mcmd
agent connections must be encrypted (see
Section 4.10, “Using Encrypted Connections for MySQL Cluster Manager Agents and Clients” for
details).
Certificates are created for every host using the available CA. The CA and certificates are created using the default CA and certificate file names defined on the NDB Cluster. The certificates are created in two locations:
An agent, and any NDB tools that it spawns, uses an API certificate from the cluster's default certificate directory, which must be present on all hosts in the site.
A cluster process uses the certificate from the process as specified by the ndb_mgm
--ndb-tls-search-path
option.
The command creates both sets of certificates—the API certificate in the cluster's default certificate folder, and a single certificate/key pair for each process in the process' certificate directories. If multiple processes use the same certificate type and share the same certificate directory on the same file system, only a single instance of the certificate will be created. Creation of subsequent certificates of the same type at the same location is skipped.
The command fails if any of the following conditions is true:
A CA already exists when creating the CA.
A certificate already exists when creating the certificate.
All hosts are not present.
Limitations: The following limitations apply for the command:
If multiple hosts share the same network-mounted certificate directory, the certificates embedded hostnames may be incorrect.
No actions are taken on the certificate folders or certificate files created by the command on
delete cluster --removedirs
.