Certificate Management API

    +
    The REST API can be used to manage the root and node certificates of a cluster.

    Performing Certificate Management

    Couchbase Server supports the use of x.509 certificates, for clients and servers. The REST API allows the server certificates to be managed. From a management perspective, server certificates can be considered to be of two kinds:

    • Root certificates. At least one root certificate exists for each cluster. Any number of root certificates can be uploaded: together, these constitute the cluster’s trust store. Each root certificate contains the public key of a Certificate Authority (CA).

      Couchbase Server uses its list of trusted certificates to verify:

      • Client certificates (when client certificate authentication is enabled: for information, see Enable Client-Certificate Handling).

      • The identities of cluster nodes (when node-to-node encryption is enabled: for information, see Manage Node-to-Node Encryption).

      • The identities of nodes that join the cluster (when the server has been provisioned with certificates).

      • The identity of LDAP servers (when TLS has been turned on, in the LDAP settings: for information, see LDAP Host Configuration).

    • Node certificates. A different node certificate is installed on each node in the cluster. This certificate is signed by a root certificate (or by an intermediate certificate that itself has gained authority from that root certificate), and is itself therefore granted the authority of that root certificate. Clients that contact the node can determine the identity of the root certificate by examining the node certificate, and verifying its signature chain — which leads to the responsible root certificate.

    A complete overview of certificate management for Couchbase Server is provided in Certificates. Examples of certificate creation and deployment are provided in Manage Certificates.

    The REST API for Certificate Management

    The Couchbase Server supports certificate management with the following, principal APIs: