Skip to content

Certificate Management

Certificate Management allows you to manage a set of SSL certificates and keys that can be provisioned on your clusters. This feature allows you to create Certificate Authority (CA) and/or self-signed certificates and keys. Then, it can be easily enabled and disabled for MySQL and PostgreSQL client-server connections using the SSL encryption feature. You can access it by going to ClusterControl GUI → Settings → Certificate management. This will bring up a tab where you can view and manage certificates.

By default, the generated keys and certificates will be created under the default repository at /var/lib/cmon/ca.

Field Description
Create Folder
  • Create a new directory under the default repository.
Refresh
  • Refresh the certificate and directory list.
More...
  • Generate Client/Server Certificate.
  • Generate Self-signed Certificate.
  • Import certificate.

Generate Self-signed Certificate

Generate a self-signed Certificate Authority and key. You can use this Certificate Authority (CA) to sign your client and server certificates.

Field Description
Path
  • Certification repository path. To change the path, click on the file browser left-side menu. Default value is /var/lib/cmon/ca.
Certificate Authority and Key Name
  • Enter a name without an extension. For example MyCA, ca-cert.
Description
  • Put some description for the certificate authority.
Country
  • Choose a country name from the dropdown menu.
State
  • State or province name.
Localityr
  • City name.
Organization
  • Organization name.
Organization unit
  • Unit or department name.
Common name
  • Specify server fully-qualified domain name (FQDN) or your name.
  • Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and the key files will not work for the servers compiled using OpenSSL.
Email
  • Email address.
Key length (bits)
  • The key length in bits. 2048 and higher is recommended. The larger the public and private key length, the harder it is to crack
Expiration Date (days)
  • Certificate expiration in days.
Generate
  • Generate certificate and key.
Reset
  • Reset the form.

Generate Client/Server Certificate

Sign with an existing CA or generate a self-signed certificate. ClusterControl generates certificates and keys depending on the type, server or client. The generated server’s key and certificate can then be used by the Enable SSL Encryption feature.

Field Description
Certificate Authority
  • Select an existing CA (by clicking on any existing CA on the left-hand side menu) or leave it empty to generate a self-signed certificate.
Type
  • Server – Generate a certificate for server usage.
  • Client – Generate a certificate for client usage.
Certificate and Key Name
  • Enter the certificate and key name. The same name will be used by ClusterControl to generate certificates and keys. For example, if you specify the name as Severalnines, ClusterControl will generate severalnines.key and severalnines.crt respectively.
Description
  • Put some description for the certificate authority.
Country
  • Choose a country name from the dropdown menu.
State
  • State or province name.
Localityr
  • City name.
Organization
  • Organization name.
Organization unit
  • Unit or department name.
Common name
  • Specify server fully-qualified domain name (FQDN) or your name.
  • Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and the key files will not work for the servers compiled using OpenSSL.
Email
  • Email address.
Key length (bits)
  • The key length in bits. 2048 and higher is recommended. The larger the public and private key length, the harder it is to crack.
Expiration Date (days)
  • Certificate expiration in days.
Generate
  • Generate certificate and key.
Reset
  • Reset the form.

Import

Import keys and certificates into ClusterControl’s certificate repository. The imported keys and certificates can then be used to enable SSL encryption for server-client connection, replication, or backup at a later stage. Before you perform the important action, bear in mind to:

  1. Upload your certificate and key to a directory in the ClusterControl Controller host
  2. Uncheck the Self-signed Certificate checkbox if the certificate is not self-signed
  3. You need to also provide a CA certificate if the certificate is not self-signed
  4. Duplicate certificates will not be created
Field Description
Destination Path
  • Where you want the certificate to be imported to. Click on the file explorer window on the left to change the path.
Save As
  • Certificate name.
Certificate File
  • Absolute path to the certificate file. For example: /home/user/ssl/file.crt.
Private Key File
  • Absolute path to the key file. For example: /home/user/ssl/file.key.
Self-signed Certificate
  • Uncheck the checkbox if the certificate is not self-signed.
Import
  • Start the import process.
Copyright © 2014-2025 Severalnines AB. All rights reserved.

Severalnines and ClusterControl are registered trademarks in the US, UK, and EU. The 3rd-party trademarks on this site are property of their respective owners and are used for referential purposes only.

Made with Material for MkDocs