A newer version of this documentation is available.

View Latest

ssl-manage

Data encryption with Secure Socket Layer (SSL) authentication is used with the Couchbase Server’s self-signed or X.509 certificates.

Syntax

To manage a certificate use:

couchbase-cli ssl-manage -c [host]:8091 -u [admin] -p [password] [options]

Description

Retrieving an SSL certificate for XDCR data encryption, should be done in a secure manner, such as with ssh and scp. For example:

  1. Use a secure method to log in to a node on the destination cluster. For example: ssh.

  2. Retrieve the certificate with the couchbase-cli ssl-manage command.

  3. Use a secure method to transfer the certificate from the destination cluster to the source cluster. For example: scp.

  4. Proceed with setting up XDCR with SSL data encryption.

Options

The following are the command options:

Table 1. ssl-manage command options
Option Description

--cluster-cert-info

Views the current cluster certificate. With the option --extended, view the extended cluster certificate.

--node-cert-info

Views the current node certificate.

--retrieve-cert=[certificate]

Retrieves a cluster certificate and saves it to a .pem file.

For example, --retrieve-cert=./newCert.pem.

--regenerate-cert=[certificate]

Regenerates a cluster certificate and saves it to a .pem file.

For example, --regenerate-cert=./newRegen.pem.

--set-node-certificate

Sets the new node certificate.

Examples

Retrieves an existing certificate
couchbase-cli ssl-manage -c 10.3.4.187:8091 -u Administrator -p password \
       --retrieve-cert=./newCert.pem

An example output from a successful certificate retrieval:

SUCCESS: retrieve certificate to './newCert.pem'
        Certificate matches what is seen on GUI
Regenerates a certificate
couchbase-cli ssl-manage  -c 10.3.4.187:8091 -u Administrator -p password \
       --regenerate-cert=./newRegen.pem

An example output from a successful certificate regeneration:

SUCCESS: regenerate certificate to './newRegen.pem'
Download a cluster certificate and view it
couchbase-cli ssl-manage -c 192.168.0.1:8091 \
        --retrieve-cert=/tmp/test.pem \
        -u Administrator -p password
couchbase-cli ssl-manage -c 192.168.0.1:8091 \
         --cluster-cert-info \
         -u Administrator -p password
Regenerate AND download a cluster certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091 \
        --regenerate-cert=/tmp/test.pem \
        -u Administrator -p password

If you configured Couchbase to use X.509 certificates, and you want to go back to the self-signed certificates, you can do this by regenerating the self-signed cluster certificate test.pem.

View the extended cluster certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091 \
        --cluster-cert-info --extended \
        -u Administrator -p password
View the current node certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091 \
        --node-cert-info \
        -u Administrator -p password
Set the new node certificate
couchbase-cli ssl-manage -c 192.168.0.1:8091 \
        --set-node-certificate \
        -u Administrator -p password