Use the tlsutil -u option to create signed certificates on a subset of database servers. This option is used with the -c option only.
When used with the -c option, update mode checks the signed certificates and private keys on all database servers and creates CSRs only for those that do not have a valid certificate and key.
Update mode used with -c reports that all certificates are valid if none fail the validity test. In that case, no further action is required.
For example, as root, run the following commands to update invalid signed certificates:
- Generate CSRs:
# tlsutil -c -u mydb.example.com
Result: If all certificates are valid, no further action is required.
- If some certificates are invalid, sign the certificates using a customer-defined process.
- Install the signed certificates and private keys:
# tlsutil -i