2. Home
  4. Docs
  6. ClusterControl
  8. User Guide (GUI)
  10. Sidebar
  12. Key Management

Key Management

Key Management allows you to manage a set of SSL certificates and keys that can be provisioned on your clusters. This feature allows you to create Certificate Authority (CA) and/or self-signed certificates and keys. Then, it can be easily enabled and disabled for MySQL and PostgreSQL client-server connections using the SSL encryption feature.

Attention

Starting from ClusterControl 1.9.7 (September 2023), ClusterControl GUI v2 is the default frontend graphical user interface (GUI) for ClusterControl. Note that the GUI v1 is considered a feature-freeze product with no future development. All new developments will be happening on ClusterControl GUI v2. See User Guide (GUI v2).

Manage

Manage existing keys and certificates generated by ClusterControl.

Field Description
Revoke
  • Revoke the selected certificate. This will put an end to the validity of the certificate.
Generate
  • Re-generate an invalid or expired certificate. By using this, ClusterControl can generate a new key and certificate by using the same information used when it was generated for the first time.
Move
  • Move the selected certificate to another location. Clicking on this will open another dialog box where you can create/delete a directory under /var/lib/cmon/ca. Use this feature to organize and categorize the generated certificate per directory.

Generate

By default, the generated keys and certificates will be created under the default repository at /var/lib/cmon/ca.

Field Description
New Folder
  • Create a new directory under the default repository.
Delete Folder
  • Delete the selected directory.
Refresh
  • Refresh the list.

Self-signed Certificate Authority and Key

Generate a self-signed Certificate Authority and key. You can use this Certificate Authority (CA) to sign your client and server certificates.

Field Description
Path
  • Certification repository path. To change the path, click on the file browser left-side menu. Default value is /var/lib/cmon/ca.
Certificate Authority and Key Name
  • Enter a name without an extension. For example MyCA, ca-cert
Description
  • Put some description for the certificate authority.
Country
  • Choose a country name from the dropdown menu.
State
  • State or province name.
Locality
  • City name.
Organization
  • Organization name.
Organization unit
  • Unit or department name.
Common name
  • Specify server fully-qualified domain name (FQDN) or your name.
  • Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and the key files will not work for the servers compiled using OpenSSL.
Email
  • Email address.
Key length (bits)
  • The key length in bits. 2048 and higher is recommended. The larger the public and private key length, the harder it is to crack
Expiration Date (days)
  • Certificate expiration in days.
Generate
  • Generate certificate and key.
Reset
  • Reset the form.

Client/Server Certificates and Key

Sign with an existing CA or generate a self-signed certificate. ClusterControl generates certificates and keys depending on the type, server or client. The generated server’s key and certificate can then be used by the Enable SSL Encryption feature.

Field Description
Certificate Authority
  • Select an existing CA (by clicking on any existing CA on the left-hand side menu) or leave it empty to generate a self-signed certificate.
Type
  • Server – Generate a certificate for server usage.
  • Client – Generate a certificate for client usage.
Certificate and Key Name
  • Enter the certificate and key name. The same name will be used by ClusterControl to generate certificates and keys. For example, if you specify the name as Severalnines, ClusterControl will generate severalnines.key and severalnines.crt respectively.
Description
  • Put some description for the certificate and key.
Country
  • Choose a country name from the dropdown menu.
State
  • State or province name.
Locality
  • City name.
Organization
  • Organization name.
Organization unit
  • Unit or department name.
Common name
  • Specify server fully-qualified domain name (FQDN) or your name.
  • Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and the key files will not work for the servers compiled using OpenSSL.
Email
  • Email address.
Key length (bits)
  • The key length in bits. 2048 and higher is recommended.
Expiration Date (days)
  • Certificate expiration in days.
Generate
  • Generate certificate and key.
Reset
  • Reset the form.
[/su_table

Import

Import keys and certificates into ClusterControl’s certificate repository. The imported keys and certificates can then be used to enable SSL encryption for server-client connection, replication, or backup at a later stage. Before you perform the important action, bear in mind to:

  1. Upload your certificate and key to a directory in the ClusterControl Controller host
  2. Uncheck the Self-signed Certificate checkbox if the certificate is not self-signed
  3. You need to also provide a CA certificate if the certificate is not self-signed
  4. Duplicate certificates will not be created
Field Description
Destination Path
  • Where you want the certificate to be imported to. Click on the file explorer window on the left to change the path.
Save As
  • Certificate name.
Certificate File
  • Physical path to the certificate file. For example: /home/user/ssl/file.crt.
Private Key File
  • Physical path to the key file. For example: /home/user/ssl/file.key.
Self-signed Certificate
  • Uncheck the checkbox if the certificate is not self-signed.
Import
  • Start the import process.
Was this article helpful to you? Yes No