You are viewing the documentation of an older version of the TiDB database (TiDB v3.1).

It is recommended that you use the latest LTS version of the TiDB database.

Generate Self-Signed Certificates


This document describes how to generate self-signed certificates using cfssl.

Assume that the topology of the instance cluster is as follows:

NameHost IPServices
node1172.16.10.1PD1, TiDB1
node2172.16.10.2PD2, TiDB2

Download cfssl

Assume that the host is x86_64 Linux:

mkdir ~/bin
curl -s -L -o ~/bin/cfssl
curl -s -L -o ~/bin/cfssljson
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin

Initialize the certificate authority

To make it easy for modification later, generate the default configuration of cfssl:

mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

Generate certificates

Certificates description

  • tidb-server certificate: used by TiDB to authenticate TiDB for other components and clients
  • tikv-server certificate: used by TiKV to authenticate TiKV for other components and clients
  • pd-server certificate: used by PD to authenticate PD for other components and clients
  • client certificate: used to authenticate the clients from PD, TiKV and TiDB, such as pd-ctl, tikv-ctl and pd-recover

Configure the CA option

Edit ca-config.json according to your need:

    "signing": {
        "default": {
            "expiry": "43800h"
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "key encipherment",
                    "server auth",
                    "client auth"
            "client": {
                "expiry": "43800h",
                "usages": [
                    "key encipherment",
                    "client auth"

Edit ca-csr.json according to your need:

    "CN": "My own CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    "names": [
            "C": "CN",
            "L": "Beijing",
            "O": "PingCAP",
            "ST": "Beijing"

Generate the CA certificate

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

The command above generates the following files:


Generate the server certificate

The IP address of all components and are included in hostname.

echo '{"CN":"tidb-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname=",," - | cfssljson -bare tidb-server

echo '{"CN":"tikv-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname=",,," - | cfssljson -bare tikv-server

echo '{"CN":"pd-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname=",,," - | cfssljson -bare pd-server

The command above generates the following files:

tidb-server-key.pem     tikv-server-key.pem      pd-server-key.pem
tidb-server.csr         tikv-server.csr          pd-server.csr
tidb-server.pem         tikv-server.pem          pd-server.pem

Generate the client certificate

echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client -hostname="" - | cfssljson -bare client

The command above generates the following files:

Was this page helpful?