在 CA 目录中创建一个 CA：

$> ndb_sign_keys --create-CA --to-dir=CA
Mode of operation: create CA.
This utility will create a cluster CA private key and a public key certificate.

You will be prompted to supply a pass phrase to protect the
cluster private key. This security of the cluster depends on this.

Only the database administrator responsible for this cluster should
have the pass phrase. Knowing the pass phrase would allow an attacker
to gain full access to the database.

The passphrase must be at least 4 characters in length.

Creating CA key file NDB-Cluster-private-key in directory CA.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Creating CA certificate NDB-Cluster-cert in directory CA.
$> ls -l CA
total 8
-rw-r--r-- 1 mysql mysql 1082 Dec 19 07:32 NDB-Cluster-cert
-r-------- 1 mysql mysql 1854 Dec 19 07:32 NDB-Cluster-private-key

接下来，使用 --create-key 选项为本机上的所有节点创建密钥，如下所示：

$> ndb_sign_keys --ndb-tls-search-path='CA' --create-key -c localhost:1186 --to-dir=keys 
Mode of operation: create active keys and certificates.
Enter PEM pass phrase:
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Read 5 nodes from custer configuration.
Found 5 nodes configured to run on this host.
Created 3 keys and 3 certificates.
$>

--create-key 导致 ndb_sign_keys 连接到管理服务器，读取集群配置，然后为本机上的所有 NDB 节点创建完整的密钥和证书集群管理服务器必须正在运行，以便这项工作。如果管理服务器未运行，ndb_sign_keys 可以使用 --config-file 选项直接读取集群配置文件。ndb_sign_keys 也可以使用 --no-config 忽略集群配置和 --node-type 指定节点类型（mgmd、db 或 api 之一）。此外，您必须指定证书的主机名使用 --bound-hostname=host_name，或禁用主机名绑定使用 --bind-host=0。

远程主机的密钥签名通过使用 ssh 连接到 CA 主机来实现。