Encryption On-the-Wire API
Couchbase Server APIs for self-signed and X.509 certificates manage encryption on-the-wire.
Retrieve Node Certificate Info
Retrieves information about a node certificate.
GET /pools/default/certificate/node/<host:port>
Description
This command retrieves information about the uploaded node certificate.
Example
$ curl -X GET http://user:password@127.0.0.1:8091/pools/default/certificate/node/127.0.0.1:8091 {"subject":"CN=127.0.0.1","expires":"2049-12-31T15:59:59.000Z","pem":" -----BEGIN CERTIFICATE-----\nMIIC+DCCAeKgAwIBAgIIFB4b2mfRLHcwCwYJKoZIhvcNAQELMCAxHjAcBgNVBAMT\ nFUludGVtZWRpYXRlIEF1dGhvcml0eTAeFw0xMzAxMDEwMDAwMDBaFw00OTEyMzEy\ nMzU5NTlaMBQxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQAD\ nggEPADCCAQoCggEBAOO9byay0UjHI4Q1dd4zMgGPc7FkGDaH/5PEj7PdjlnZC6zm\ ncsjqAyAq9WzI+LAzzfZXm2Da8MwJZX/MsvEcG15CV8bK075D1G4R7B+E+OIG//Xl\ ntKZe7J0YqsW5KwZlDHWkyJ06ylWl/6hvw3YkG7mUOKi5WWuj8NGHP24cImkaon4+\ nf8D6t3vEWFQEwb8IMUDgzwdihXdSqdzQ3a9ECKbl2BKeEFbPrzWoIYjWF5dyrZg3\ n4/3+SHZ+uZzlG2x6cL2lrs7WUJXseasjkSFuQQzLZPIcJlJxlwXhKvfvucbgT9rG\ nwopcjS3SaXnmreKF3jLmQGAPHYb8X1yCTTBQVLcCAwEAAaNGMEQwDgYDVR0PAQH\ nBAQDAgCgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDwYDVR0R\ nBAgwBocEfwAAATALBgkqhkiG9w0BAQsDggEBAEEWcC8uJ/Zk/4UFYTrQyvds/Kj8\ n8/SNWVIcMNLHNsxPGtbrsRa9VFjPlCEB+dPpgIFq08626zRQ2Lb1qRZGWj+YM5gC\ nhxaERSURrvr6i8x9jwALkQUxitRkNP6cb+wi4BCn8qjgxxyZ4g+CHEO9pHceljIn\ n/bwY+hHTG0a+8hVj/14TGExFrEzNhyeSMmGpdFq3PNT97gRuVvFAz6ZD8qAt+S0j\ nT61oShOpwNwhWnkK3OynN2JdVT+G496/xRayDPXG40V/AkJs3udZ6QmoeifkJ8sj\ nYgOxdPWLMnAJ7fw6l/XE7XVD/Jld+pJrFa4YqHBkWL+s20OQmuWs8dVgVQ0=\n -----END CERTIFICATE-----\n\n"}
Upload and Regenerate Certificate
Uploads a pem-encoded root certificate (cluster CA) to the cluster.
POST /controller/uploadClusterCA
Description
The uploaded certificate will be displayed in the UI and used for XDCR replications and for client certificate stores.
Examples
curl -X POST --data-binary "@/path/root.pem" http://user:password@127.0.0.1:8091/controller/uploadClusterCA
curl -X POST --data-binary "@./ca.pem" http://Administrator:password@127.0.0.1:8091/controller/uploadClusterCA
Returns
Same output as in the GET /pools/default/certificate?extended=true
method.
Setting up per node CA certificate
curl -X POST http://Administrator:password@127.0.0.1:8091/node/controller/reloadCertificate
Regenerating a self-signed certificate
If you configured Couchbase to use X.509 certificates, and you want to go back to the self-signed certificates, you can do this by regenerating the self-signed cluster certificate test.pem
.
curl -X POST http://Administrator:password@remoteHost:8091/controller/regenerateCertificate
Return Cluster Certificate
Returns the current cluster certificate.
GET /pools/default/certificate
Description
If you include the parameter extended=true
, it returns the extended certificate information:
{"cert": {"type" : ..., "pem" : ..., "subject" : ..., "expires" : ...}, warnings: []}
Parameters
-
type
- generated or uploaded. -
pem
- pem encoded certificate. -
subject
- abbreviated certificate subject (*). -
expires
- expiration data (*). -
warnings
- warnings to be displayed in the UI.
(*) not available for generated certificates.
Example
$ curl -X GET http://user:password@127.0.0.1:8091/pools/default/ certificate?extended=true
{"cert":{"type":"uploaded","pem":"-----BEGIN CERTIFICATE----- \nMIIC6DCCAdKgAwIBAgIIFB4YAjF90MgwCwYJKoZIhvcNAQELMBkxFzAVBgNVBAMT\ nDlJvb3QgQXV0aG9yaXR5MB4XDTEzMDEwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVow\ nGTEXMBUGA1UEAxMOUm9vdCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB\ nDwAwggEKAoIBAQDBum06stdiYQI2HQyjZeg3s0Pz8CziXqSg4GicaeKNloOfASwl\ n+8LQDX5Dgb+Mc4ZxXYo9/7eVlsvSiZPZcv9D2pubjR4ZtEDY5t9AlXDiYTHK0zxG\ nB34Llnz3gJmkAEAsjy4g+RfwpJS4kGVzFhrzgxOQJIJogZnLduk+mHFjyXI3X+8y\ nf4KF8ijrXP8bbfa0kM1tjvcttaK7vTEP+G/mbOEFZErhScXT9eKRlgwsitaH7kI0\ nimpqg3YX1znLQ5n+eLzeVR1HhszJrFaaaRHL0esml6jLEcZBBitJSuEuaMLp9ZWB\ nA479ZHmN/vZc1SwfMrCE2+TE0ytW3O7eFXjXAgMBAAGjODA2MA4GA1UdDwEB/wQE\ nAwIApDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MAsGCSqG\ nSIb3DQEBCwOCAQEACReNkvIXhjPO0rWpgdVSqnLrjUb6DJf0n4Uyq6PfukeEfBtF\ n59L+xUcoY6NFM5N6qRlGgg0eqTCVmQ6N6lKnnZRH23g3BPLjU2EqAtBHIc5f2JoM\ nd1E4UD2v20MlFoeHL0YljGTywlqStoZYc2uYUJnJAVq2D1dWcwP2S7G6caLHMlAl\ nQVYIZvjCGuqGckV1EqOTT7uKPH9ulljtYKVIq/aTbINjX0hJsaoN2hOfHVTp2Shq\ neLMwgfNdg6zWRyeL/Mi/3jmSjSH61zyHva2xlY8Pl6Zurx/+pF1qN27+P8tCjsDO\ nD2hAADXr8WRqC1Sd+xAGcFkvqOOFv/HRxDej3A==\ n-----END CERTIFICATE-----\n", "subject":"CN=Root Authority","expires":"2049-12-31T15:59:59.000Z"}, "warnings":[{"node":"n_0@127.0.0.1","message": "Certificate is not signed with cluster CA."}]}
Possible warnings:
{"node":"n_0@127.0.0.1","message":"Certificate is not signed with cluster CA."}
{"node":"n_0@127.0.0.1","message":"Certificate is expired."}
{"node":"n_0@127.0.0.1","message":"Certificate will expire soon.","expires":"2049-12-31T15:59:59.000Z"}
Apply Certificate to a Node
Takes chain.pem and pkey.pem and applies to a node.
POST /node/controller/reloadCertificate
Description
This command grabs chain.pem
and pkey.pem
from the data folder/inbox/ directory and applies them to the node.
Parameters
-
chain.pem
- Contains a chain of pem-encoded certificates starting from the node certificate and ending with the last intermediate certificate that precedes the cluster certificate. -
pkey.pem
- Contains the pem-encoded private key for the node certificate.
Example
curl -X POST http://user:password@127.0.0.1:8091/node/controller/reloadCertificate
Returns
-
200
- If it is a success -
400
- An error message if it failed.