create certs [--ca|--keys|--renew] [--added] cluster_name

The command creates all certificate authorities (CAs), keys, and certificate files needed for a cluster to use TLS connections on all hosts in the site.

The --ca option limits the command to only create the CA key and certificate

The --keys option limits the command to only create the keys and certificates for all nodes.

The --added option limits the command to only create CAs and API certificates for recently added hosts and nodes. A CA and key must be present on at least one host in the site for the --added option to work.

The --renew option renews the keys and certificates for all nodes.

The host with the client connection runs ndb_sign_keys to create the CA in the cluster's default certificate directory, <mcm_data>/clusters/<cluster_name>/certs, and the CA is distributed over the site. To allow secure CA distribution across the MCM site, the mcmd agent connections must be encrypted (see Section 4.10, “Using Encrypted Connections for MySQL Cluster Manager Agents and Clients” for details).

Certificates are created for every host using the available CA. The CA and certificates are created using the default CA and certificate file names defined on the NDB Cluster. The certificates are created in two locations:

The command creates both sets of certificates—the API certificate in the cluster's default certificate folder, and a single certificate/key pair for each process in the process' certificate directories. If multiple processes use the same certificate type and share the same certificate directory on the same file system, only a single instance of the certificate will be created. Creation of subsequent certificates of the same type at the same location is skipped.

The command fails if any of the following conditions is true:

Limitations: The following limitations apply for the command: