在 CA 目录中创建 CA

$> ndb_sign_keys --create-CA --to-dir=CA
Mode of operation: create CA.
This utility will create a cluster CA private key and a public key certificate.

You will be prompted to supply a pass phrase to protect the
cluster private key. This security of the cluster depends on this.

Only the database administrator responsible for this cluster should
have the pass phrase. Knowing the pass phrase would allow an attacker
to gain full access to the database.

The passphrase must be at least 4 characters in length.

Creating CA key file NDB-Cluster-private-key in directory CA.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Creating CA certificate NDB-Cluster-cert in directory CA.
$> ls -l CA
total 8
-rw-r--r-- 1 mysql mysql 1082 Dec 19 07:32 NDB-Cluster-cert
-r-------- 1 mysql mysql 1854 Dec 19 07:32 NDB-Cluster-private-key

接下来，使用 --create-key 选项为此主机上的所有节点创建密钥，如下所示

$> ndb_sign_keys --ndb-tls-search-path='CA' --create-key -c localhost:1186 --to-dir=keys 
Mode of operation: create active keys and certificates.
Enter PEM pass phrase:
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Creating active private key in directory keys.
Creating active certificate in directory keys.
Read 5 nodes from custer configuration.
Found 5 nodes configured to run on this host.
Created 3 keys and 3 certificates.
$>

--create-key 会使 ndb_sign_keys 连接到管理服务器，读取集群配置，然后为配置为在本地主机上运行的所有 NDB 节点创建全套密钥和证书。集群管理服务器必须正在运行才能执行此操作。如果管理服务器未运行，则 ndb_sign_keys 可以使用 --config-file 选项直接读取集群配置文件。ndb_sign_keys 还可以使用 --no-config 忽略集群配置并使用 --node-type 指定节点类型（mgmd、db 或 api 之一）为单个节点类型创建一个密钥证书对。此外，您必须使用 --bound-hostname=host_name 为证书指定主机名，或者通过提供 --bind-host=0 禁用主机名绑定。

通过使用 ssh 连接到 CA 主机来完成远程主机对密钥的签名。