A newer version of this documentation is available.

View Latest

Encryption On-the-Wire API

    +
    Couchbase Server APIs for self-signed and X.509 certificates manage encryption on-the-wire.

    Retrieve Node Certificate Info

    Retrieves information about a node certificate.

    GET /pools/default/certificate/node/<host:port>

    Description

    This command retrieves information about the uploaded node certificate.

    Example

    $ curl -X GET http://user:password@127.0.0.1:8091/pools/default/certificate/node/127.0.0.1:8091
          {"subject":"CN=127.0.0.1","expires":"2049-12-31T15:59:59.000Z","pem":"
          -----BEGIN CERTIFICATE-----\nMIIC+DCCAeKgAwIBAgIIFB4b2mfRLHcwCwYJKoZIhvcNAQELMCAxHjAcBgNVBAMT\
          nFUludGVtZWRpYXRlIEF1dGhvcml0eTAeFw0xMzAxMDEwMDAwMDBaFw00OTEyMzEy\
          nMzU5NTlaMBQxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQAD\
          nggEPADCCAQoCggEBAOO9byay0UjHI4Q1dd4zMgGPc7FkGDaH/5PEj7PdjlnZC6zm\
          ncsjqAyAq9WzI+LAzzfZXm2Da8MwJZX/MsvEcG15CV8bK075D1G4R7B+E+OIG//Xl\
          ntKZe7J0YqsW5KwZlDHWkyJ06ylWl/6hvw3YkG7mUOKi5WWuj8NGHP24cImkaon4+\
          nf8D6t3vEWFQEwb8IMUDgzwdihXdSqdzQ3a9ECKbl2BKeEFbPrzWoIYjWF5dyrZg3\
          n4/3+SHZ+uZzlG2x6cL2lrs7WUJXseasjkSFuQQzLZPIcJlJxlwXhKvfvucbgT9rG\
          nwopcjS3SaXnmreKF3jLmQGAPHYb8X1yCTTBQVLcCAwEAAaNGMEQwDgYDVR0PAQH\
          nBAQDAgCgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDwYDVR0R\
          nBAgwBocEfwAAATALBgkqhkiG9w0BAQsDggEBAEEWcC8uJ/Zk/4UFYTrQyvds/Kj8\
          n8/SNWVIcMNLHNsxPGtbrsRa9VFjPlCEB+dPpgIFq08626zRQ2Lb1qRZGWj+YM5gC\
          nhxaERSURrvr6i8x9jwALkQUxitRkNP6cb+wi4BCn8qjgxxyZ4g+CHEO9pHceljIn\
          n/bwY+hHTG0a+8hVj/14TGExFrEzNhyeSMmGpdFq3PNT97gRuVvFAz6ZD8qAt+S0j\
          nT61oShOpwNwhWnkK3OynN2JdVT+G496/xRayDPXG40V/AkJs3udZ6QmoeifkJ8sj\
          nYgOxdPWLMnAJ7fw6l/XE7XVD/Jld+pJrFa4YqHBkWL+s20OQmuWs8dVgVQ0=\n
          -----END CERTIFICATE-----\n\n"}

    Upload and Regenerate Certificate

    Uploads a pem-encoded root certificate (cluster CA) to the cluster.

    POST /controller/uploadClusterCA

    Description

    The uploaded certificate will be displayed in the UI and used for XDCR replications and for client certificate stores.

    Examples

    curl -X POST --data-binary "@/path/root.pem" http://user:password@127.0.0.1:8091/controller/uploadClusterCA
    curl -X POST --data-binary "@./ca.pem" http://Administrator:password@127.0.0.1:8091/controller/uploadClusterCA

    Returns

    Same output as in the GET /pools/default/certificate?extended=true method.

    Setting up per node CA certificate

    curl -X POST http://Administrator:password@127.0.0.1:8091/node/controller/reloadCertificate

    Regenerating a self-signed certificate

    If you configured Couchbase to use X.509 certificates, and you want to go back to the self-signed certificates, you can do this by regenerating the self-signed cluster certificate test.pem.

    curl -X POST  http://Administrator:password@remoteHost:8091/controller/regenerateCertificate

    Return Cluster Certificate

    Returns the current cluster certificate.

    GET /pools/default/certificate

    Description

    If you include the parameter extended=true, it returns the extended certificate information:

    {"cert": {"type" : ..., "pem" : ..., "subject" : ..., "expires" : ...}, warnings: []}

    Parameters

    • type - generated or uploaded.

    • pem - pem encoded certificate.

    • subject - abbreviated certificate subject (*).

    • expires - expiration data (*).

    • warnings - warnings to be displayed in the UI.

    (*) not available for generated certificates.

    Example

    $ curl -X GET http://user:password@127.0.0.1:8091/pools/default/
            certificate?extended=true
    {"cert":{"type":"uploaded","pem":"-----BEGIN CERTIFICATE-----
              \nMIIC6DCCAdKgAwIBAgIIFB4YAjF90MgwCwYJKoZIhvcNAQELMBkxFzAVBgNVBAMT\
              nDlJvb3QgQXV0aG9yaXR5MB4XDTEzMDEwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVow\
              nGTEXMBUGA1UEAxMOUm9vdCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB\
              nDwAwggEKAoIBAQDBum06stdiYQI2HQyjZeg3s0Pz8CziXqSg4GicaeKNloOfASwl\
              n+8LQDX5Dgb+Mc4ZxXYo9/7eVlsvSiZPZcv9D2pubjR4ZtEDY5t9AlXDiYTHK0zxG\
              nB34Llnz3gJmkAEAsjy4g+RfwpJS4kGVzFhrzgxOQJIJogZnLduk+mHFjyXI3X+8y\
              nf4KF8ijrXP8bbfa0kM1tjvcttaK7vTEP+G/mbOEFZErhScXT9eKRlgwsitaH7kI0\
              nimpqg3YX1znLQ5n+eLzeVR1HhszJrFaaaRHL0esml6jLEcZBBitJSuEuaMLp9ZWB\
              nA479ZHmN/vZc1SwfMrCE2+TE0ytW3O7eFXjXAgMBAAGjODA2MA4GA1UdDwEB/wQE\
              nAwIApDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MAsGCSqG\
              nSIb3DQEBCwOCAQEACReNkvIXhjPO0rWpgdVSqnLrjUb6DJf0n4Uyq6PfukeEfBtF\
              n59L+xUcoY6NFM5N6qRlGgg0eqTCVmQ6N6lKnnZRH23g3BPLjU2EqAtBHIc5f2JoM\
              nd1E4UD2v20MlFoeHL0YljGTywlqStoZYc2uYUJnJAVq2D1dWcwP2S7G6caLHMlAl\
              nQVYIZvjCGuqGckV1EqOTT7uKPH9ulljtYKVIq/aTbINjX0hJsaoN2hOfHVTp2Shq\
              neLMwgfNdg6zWRyeL/Mi/3jmSjSH61zyHva2xlY8Pl6Zurx/+pF1qN27+P8tCjsDO\
              nD2hAADXr8WRqC1Sd+xAGcFkvqOOFv/HRxDej3A==\
              n-----END CERTIFICATE-----\n",
              "subject":"CN=Root Authority","expires":"2049-12-31T15:59:59.000Z"},
              "warnings":[{"node":"n_0@127.0.0.1","message":
              "Certificate is not signed with cluster CA."}]}

    Possible warnings:

    {"node":"n_0@127.0.0.1","message":"Certificate is not signed with cluster CA."}
    {"node":"n_0@127.0.0.1","message":"Certificate is expired."}
    {"node":"n_0@127.0.0.1","message":"Certificate will expire soon.","expires":"2049-12-31T15:59:59.000Z"}

    Apply Certificate to a Node

    Takes chain.pem and pkey.pem and applies to a node.

    POST /node/controller/reloadCertificate

    Description

    This command grabs chain.pem and pkey.pem from the data folder/inbox/ directory and applies them to the node.

    Parameters

    • chain.pem - Contains a chain of pem-encoded certificates starting from the node certificate and ending with the last intermediate certificate that precedes the cluster certificate.

    • pkey.pem - Contains the pem-encoded private key for the node certificate.

    Example

    curl -X POST http://user:password@127.0.0.1:8091/node/controller/reloadCertificate

    Returns

    • 200 - If it is a success

    • 400 - An error message if it failed.