A newer version of this documentation is available.

View Latest

ssl-manage

Data encryption with Secure Socket Layer (SSL) authentication is used with the Couchbase Server’s self-signed certificates.

Syntax

To retrieve an existing self-signed certificate use the --retrieve-cert option.

couchbase-cli ssl-manage -c [host]:8091 -u [admin] -p [password]
  --retrieve-cert=./[new-certificate]

To regenerate a self-signed certificate use the --regenerate-cert option.

couchbase-cli ssl-manage  -c [remoteHost]:[port] -u [admin] -p [password]
  --regenerate-cert=[certificate]

Description

Retrieving an SSL certificate for XDCR data encryption, should be done in a secure manner, such as with ssh and scp. For example:

  1. Use a secure method to log in to a node on the destination cluster. For example: ssh.

  2. Retrieve the certificate with the couchbase-cli ssl-manage command.

  3. Use a secure method to transfer the certificate from the destination cluster to the source cluster. For example: scp.

  4. Proceed with setting up XDCR with SSL data encryption.

Options

The following are the command options:

Table 1. ssl-manage command options
Option Description

--retrieve-cert=[certificate]

Retrieves the self-signed certificate from the destination cluster to the source cluster. Specify a local location (full path) and file name for the pem-encoded certificate. For example, --retrieve-cert=./newCert.pem.

--regenerate-cert=[certificate]

Regenerates a self-signed certificate on the destination cluster. Specify the full path for the location of the pem-encoded certificate file. For example, --regenerate-cert=./newRegen.pem.

Examples

Retrieves an existing self-signed certificate:

couchbase-cli ssl-manage -c 10.3.4.187:8091 -u Administrator -p password \
--retrieve-cert=./newCert.pem

An example output from a successful certificate retrieval:

SUCCESS: retrieve certificate to './newCert.pem'
Certificate matches what seen on GUI

Regenerates a self-signed certificate:

couchbase-cli ssl-manage  -c 10.3.4.187:8091 -u Administrator -p password \
--regenerate-cert=./newRegen.pem

An example output from a successful certificate regeneration:

SUCCESS: regenerate certificate to './newRegen.pem'