Skip to main content
The CockroachDB CLI’s command allows you to generate in communication between CockroachDB nodes, and from SQL clients to the cluster.
The ability to rapidly and locally generate private key/public certificate pairs is important for development, but careful management of security certificates is an essential component of cluster security. We recommend that you use a cloud-native tool, such as Google Cloud Platform’s Certificate Authority Service (CAS), to manage security certificates.Learn more: .

Create the CA certificate and key pair

  1. Create two directories:
    • certs: You’ll generate your CA certificate and all node and client certificates and keys in this directory and then upload some of the files to your nodes.
    • my-safe-directory: You’ll generate your CA key in this directory and then reference the key when generating node and client certificates. Keep the key safe and secret; do not upload it to your nodes.
  2. Generate the CA certificate and key:

Create the certificate and key pairs for nodes

  1. Generate the certificate and key for the first node:
  2. Upload certificates to the first node:
  3. Delete the local copy of the first node’s certificate and key:
This is necessary because the certificates and keys for additional nodes will also be named node.crt and node.key As an alternative to deleting these files, you can run the next cockroach cert create-node commands with the --overwrite flag.
  1. Create the certificate and key for the second node:
  2. Upload certificates to the second node:
  3. Repeat steps 3 - 5 for each additional node.

Create the certificate and key pair for a client

To create a certificate and a key pair for a client, use the create-client subcommand.

List certificates and keys

To list the certificates and keys in a directory, use the create-client subcommand.

See also