在 CA 目錄中建立 CA

$> ndb_sign_keys --create-CA --to-dir=CA
Mode of operation: create CA.
This utility will create a cluster CA private key and a public key certificate.

You will be prompted to supply a pass phrase to protect the
cluster private key. This security of the cluster depends on this.

Only the database administrator responsible for this cluster should
have the pass phrase. Knowing the pass phrase would allow an attacker
to gain full access to the database.

The passphrase must be at least 4 characters in length.

Creating CA key file NDB-Cluster-private-key in directory CA.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Creating CA certificate NDB-Cluster-cert in directory CA.
$> ls -l CA
total 8
-rw-r--r-- 1 mysql mysql 1082 Dec 19 07:32 NDB-Cluster-cert
-r-------- 1 mysql mysql 1854 Dec 19 07:32 NDB-Cluster-private-key

接下來，使用 --create-key 選項為此主機上的所有節點建立金鑰，如下所示

$> ndb_sign_keys --ndb-tls-search-path='CA' --create-key -c localhost:1186 --to-dir=keys 
Mode of operation: create active keys and certificates.
Enter PEM pass phrase:
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Read 5 nodes from custer configuration.
Found 5 nodes configured to run on this host.
Created 3 keys and 3 certificates.
$>

--create-key 會使 ndb_sign_keys 連線至管理伺服器，讀取叢集配置，然後為配置為在本地主機上執行的所有 NDB 節點建立一整組金鑰和憑證。叢集管理伺服器必須正在執行，這才能運作。如果管理伺服器未執行，ndb_sign_keys 可以使用 --config-file 選項直接讀取叢集設定檔。ndb_sign_keys 也可以使用 --no-config 來忽略叢集配置，並使用 --node-type 來指定節點類型（mgmd、db 或 api 其中之一），為單一節點類型建立單一金鑰憑證對。此外，您必須使用 --bound-hostname=主機名稱 為憑證指定主機名稱，或提供 --bind-host=0 以停用主機名稱繫結。

透過使用 ssh 連線至 CA 主機來完成遠端主機的金鑰簽署。