Doc Menu

Generate Self-signed Certificates


This document describes how to generate self-signed certificates using cfssl.

Assume that the topology of the instance cluster is as follows:

NameHost IPServices
node1172.16.10.1PD1, TiDB1
node2172.16.10.2PD2, TiDB2

Download cfssl

Assume that the host is x86_64 Linux:

mkdir ~/bin
curl -s -L -o ~/bin/cfssl
curl -s -L -o ~/bin/cfssljson
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin

Initialize the certificate authority

To make it easy for modification later, generate the default configuration of cfssl:

mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

Generate certificates

Certificates description

  • tidb-server certificate: used by TiDB to authenticate TiDB for other components and clients
  • tikv-server certificate: used by TiKV to authenticate TiKV for other components and clients
  • pd-server certificate: used by PD to authenticate PD for other components and clients
  • client certificate: used to authenticate the clients from PD, TiKV and TiDB, such as pd-ctl, tikv-ctl and pd-recover

Configure the CA option

Edit ca-config.json according to your need:

    "signing": {
        "default": {
            "expiry": "43800h"
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "key encipherment",
                    "server auth",
                    "client auth"
            "client": {
                "expiry": "43800h",
                "usages": [
                    "key encipherment",
                    "client auth"

Edit ca-csr.json according to your need:

    "CN": "My own CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    "names": [
            "C": "CN",
            "L": "Beijing",
            "O": "PingCAP",
            "ST": "Beijing"

Generate the CA certificate

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

The command above generates the following files:


Generate the server certificate

The IP address of all components and are included in hostname.

echo '{"CN":"tidb-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname=",," - | cfssljson -bare tidb-server

echo '{"CN":"tikv-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname=",,," - | cfssljson -bare tikv-server

echo '{"CN":"pd-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname=",,," - | cfssljson -bare pd-server

The command above generates the following files:

tidb-server-key.pem     tikv-server-key.pem      pd-server-key.pem
tidb-server.csr         tikv-server.csr          pd-server.csr
tidb-server.pem         tikv-server.pem          pd-server.pem

Generate the client certificate

echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client -hostname="" - | cfssljson -bare client

The command above generates the following files: