Managing SSL certificates

Managing SSL certificates

Data encryption with Secure Socket Layer (SSL) authentication used Couchbase self-signed certificates.

Description

Retrieving an SSL certificate for XDCR data encryption, should be done in a secure manner, such as with ssh and scp . For example:

  1. Use a secure method to log in to a node on the destination cluster. For example: ssh .
  2. Retrieve the certificate with the couchbase-cli ssl-manage command.
  3. Use a secure method to transfer the certificate from the destination cluster to the source cluster. For example: scp .
  4. Proceed with setting up XDCR with SSL data encryption.

CLI command and parameters

The couchbase-cli ssl-manage command provides the following options for regenerating and retrieving certificates.
Table 1. ssl-manage command options
Option Description
--retrieve-cert=[certificate] Retrieves the self-signed certificate from the destination cluster to the source cluster. Specify a local location (full path) and file name for the pem-encoded certificate. For example, --retrieve-cert=./newCert.pem .
--regenerate-cert=[certificate] Regenerates a self-signed certificate on the destination cluster. Specify the full path for the location of the pem-encoded certificate file. For example, --regenerate-cert=./newRegen.pem .

Syntax

To retrieve an existing self-signed certificate, use the couchbase-cli ssl-manage command with the --retrieve-cert option.

couchbase-cli ssl-manage -c [localHost]:[port ]
  -u [Administrator] -p [password] 
  --retrieve-cert=./[new-certificate]

To regenerate a self-signed certificate, use the couchbase-cli ssl-manage command with the --regenerate-cert option.

couchbase-cli ssl-manage 
  -c [remoteHost]:[port] 
  -u [Administrator] -p [password] 
  --regenerate-cert=[certificate]

Example

The following example retrieves an existing self-signed certificate:

couchbase-cli ssl-manage -c 10.3.4.187:8091 
  -u Administrator -p password 
  --retrieve-cert=./newCert.pem 
    

The following example regenerating a self-signed certificate:

couchbase-cli ssl-manage 
  -c 10.3.4.187:8091 
  -u Administrator -p password 
  --regenerate-cert=./newRegen.pem 

Response

The following is an example of results for a successful retrieval of the certificate:

SUCCESS: retrieve certificate to './newCert.pem' 
Certificate matches what seen on GUI 

The following is an example of results for a successful regeneration of the certification:

SUCCESS: regenerate certificate to './newRegen.pem'