MySQL 8.4 Release Notes
25.6.15.2 创建 CA 和密钥
在 CA 目录中创建一个 CA:
$> ndb_sign_keys --create-CA --to-dir=CA
Mode of operation: create CA.
This utility will create a cluster CA private key and a public key certificate.
You will be prompted to supply a pass phrase to protect the
cluster private key. This security of the cluster depends on this.
Only the database administrator responsible for this cluster should
have the pass phrase. Knowing the pass phrase would allow an attacker
to gain full access to the database.
The passphrase must be at least 4 characters in length.
Creating CA key file NDB-Cluster-private-key in directory CA.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Creating CA certificate NDB-Cluster-cert in directory CA.
$> ls -l CA
total 8
-rw-r--r-- 1 mysql mysql 1082 Dec 19 07:32 NDB-Cluster-cert
-r-------- 1 mysql mysql 1854 Dec 19 07:32 NDB-Cluster-private-key
接下来,在本地主机上的所有节点上使用 --create-key
选项创建密钥,方法如下:
$> ndb_sign_keys --ndb-tls-search-path='CA' --create-key -c localhost:1186 --to-dir=keys
Mode of operation: create active keys and certificates.
Enter PEM pass phrase:
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Read 5 nodes from custer configuration.
Found 5 nodes configured to run on this host.
Created 3 keys and 3 certificates.
$>
--create-key
会导致 ndb_sign_keys 连接到管理服务器,读取集群配置,然后为所有配置在本地主机上运行的 NDB 节点创建一个完整的密钥和证书集合。管理服务器必须正在运行中,这样才能工作。如果管理服务器未运行,ndb_sign_keys 可以使用 --config-file
选项直接从配置文件中读取集群配置。ndb_sign_keys 也可以使用 --no-config
忽略集群配置,并且使用 --node-type
指定节点类型(一个是 mgmd、db 或 api)。此外,你必须要么为证书指定主机名使用 --bound-hostname=
,要么禁用主机名绑定,通过提供 host_name
--bind-host=0
。
由远程主机进行密钥签名,需要使用ssh连接到CA主机。