Use the tlsutil -u option to create signed certificates on a subset of database servers.
The -u option must be used with the -c option. Together the update mode checks the signed certificates and private keys on all database servers and creates CSRs only for those that do not have a valid certificate and key. Using the - u -c option also reports that all certificates are valid if none fail the validity test. In that case, no further action is required.
For example, as root, run the following commands to update invalid signed certificates:
- Generate CSRs:
# tlsutil -c -u mydb.example.com
Result: If all certificates are valid, no further action is required.
- If some certificates are invalid, sign the certificates using your defined process.
- Install the signed certificates and private keys:
# tlsutil -i