在 CA 目錄中建立 CA

$> ndb_sign_keys --create-CA --to-dir=CA
Mode of operation: create CA.
This utility will create a cluster CA private key and a public key certificate.

You will be prompted to supply a pass phrase to protect the
cluster private key. This security of the cluster depends on this.

Only the database administrator responsible for this cluster should
have the pass phrase. Knowing the pass phrase would allow an attacker
to gain full access to the database.

The passphrase must be at least 4 characters in length.

Creating CA key file NDB-Cluster-private-key in directory CA.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Creating CA certificate NDB-Cluster-cert in directory CA.
$> ls -l CA
total 8
-rw-r--r-- 1 mysql mysql 1082 Dec 19 07:32 NDB-Cluster-cert
-r-------- 1 mysql mysql 1854 Dec 19 07:32 NDB-Cluster-private-key

接下來，使用 --create-key 選項，為此主機上的所有節點建立金鑰，如下所示

$> ndb_sign_keys --ndb-tls-search-path='CA' --create-key -c localhost:1186 --to-dir=keys 
Mode of operation: create active keys and certificates.
Enter PEM pass phrase:
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Read 5 nodes from custer configuration.
Found 5 nodes configured to run on this host.
Created 3 keys and 3 certificates.
$>

--create-key 會導致 ndb_sign_keys 連線到管理伺服器，讀取叢集組態，然後為設定為在本機主機上執行的所有 NDB 節點建立一整組金鑰和憑證。叢集管理伺服器必須正在執行，才能執行此操作。如果管理伺服器未執行，ndb_sign_keys 可以使用 --config-file 選項直接讀取叢集組態檔。ndb_sign_keys 也可以使用 --no-config 來忽略叢集組態，並使用 --node-type 來指定節點類型 (其中一個為 mgmd、db 或 api)，為單一節點類型建立單一金鑰憑證組。此外，您必須使用 --bound-hostname=host_name 為憑證指定主機名稱，或藉由提供 --bind-host=0 來停用主機名稱繫結。

遠端主機的金鑰簽署是透過使用 ssh 連線到 CA 主機來完成。