Manage Certificates

    +
    Couchbase Server supports the use of X.509 certificates.

    Certificate Management Overview

    A conceptual and architectural overview of Couchbase Server’s support of X.509 certificates is provided in Certificates. The current section provides practical steps for:

    • Configuring server certificates: These reside on Couchbase Server-nodes, identify the cluster to networked clients, and support encrypted network communications. Procedures are provided to demonstrate how a cluster can be protected by means of root and node certificates; and how node certificates can themselves be created with additional security and efficiency, by the creation and use of intermediate certificates. See Configure Server Certificates.

    • Configuring client certificates: These can be used by networked clients to authenticate with Couchbase Server, and to support encrypted network communications. Certificate creation is demonstrated both with and without the use of intermediate certificates. The certificate-creation requirements specific to Java applications are demonstrated. Additionally, links are provided to other areas of the documentation, where the certificates in the current section can be used to establish secure XDCR communication between clusters; and to establish communication between a cluster and a Java client. See Configure Client Certificates.

    • Handling client certificates: Couchbase Server can be configured to accept or demand the presentation by clients of certificates for the purpose of authentication. Since client certificates contain a username, which can be represented in a number of different ways within the certificate content, Couchbase Server must be configured to identify the appropriate representation, and so extract the specified username. Full instructions for accomplishing this with the UI, the CLI, and the REST API are provided: see Enable Client-Certificate Handling.

    Additionally, procedures are provided for Certificate Rotation, to ensure optimal security; and Certificate Error Handling.