Create a CA in the CA directory:
$> ndb_sign_keys --create-CA --to-dir=CA
Mode of operation: create CA.
This utility will create a cluster CA private key and a public key certificate.
You will be prompted to supply a pass phrase to protect the
cluster private key. This security of the cluster depends on this.
Only the database administrator responsible for this cluster should
have the pass phrase. Knowing the pass phrase would allow an attacker
to gain full access to the database.
The passphrase must be at least 4 characters in length.
Creating CA key file NDB-Cluster-private-key in directory CA.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Creating CA certificate NDB-Cluster-cert in directory CA.
$> ls -l CA
total 8
-rw-r--r-- 1 mysql mysql 1082 Dec 19 07:32 NDB-Cluster-cert
-r-------- 1 mysql mysql 1854 Dec 19 07:32 NDB-Cluster-private-key
Next, create keys for all nodes on this host using the
--create-key
option, like
this:
$> ndb_sign_keys --ndb-tls-search-path='CA' --create-key -c localhost:1186 --to-dir=keys
Mode of operation: create active keys and certificates.
Enter PEM pass phrase:
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Read 5 nodes from custer configuration.
Found 5 nodes configured to run on this host.
Created 3 keys and 3 certificates.
$>
--create-key
causes
ndb_sign_keys to connect to the management
server, read the cluster configuration, and then create a full
set of keys and certificates for all NDB nodes configured to run
on the local host. The cluster management server must be running
for this to work. If the management server is not running,
ndb_sign_keys can read the cluster configuration file directly
using the --config-file
option. ndb_sign_keys can also create a
single key-certificate pair for a single node type using
--no-config
to ignore the
cluster configuration and
--node-type
to specify the
node type (one of mgmd
,
db
, or api
). In addition,
you must either specify a hostname for the certificate with
--bound-hostname=
,
or disable hostname binding by supplying
host_name
--bind-host=0
.
Key signing by a remote host is accomplished by connecting to the CA host using ssh.