Custom certificates

The Node Management Agent (NMA) starts with the following certificates by default.

The Node Management Agent (NMA) starts with the following certificates by default. These certificates are automatically generated by the install_vertica script in the /opt/vertica/config/https_certs directory. The certificate authority (CA) certificate is a self-signed certificate, but is safe to use with the NMA in production environments:

vertica_https.key (private key)
vertica_https.pem (certificate)
rootca.pem (CA certificate)

If you want to use custom certificates or cannot run install_vertica, you can specify custom certificates with environment variables. Invalid values for these parameters prevent the NMA from starting, and the failure is logged in /opt/vertica/log/node_management_agent.log.

Each category of environment variable (literal certificate or path) must either be set together with valid parameters or not at all. For example, setting only NMA_ROOTCA and NMA_CERT causes an error. Similarly, setting NMA_ROOTCA_PATH, NMA_CERT_PATH, and NMA_KEY_PATH would also cause an error if NMA_KEY_PATH references an invalid path.

Certificate literals

NMA_ROOTCA: A PEM-encoded root CA certificate or concatenated CA certificates.
NMA_CERT: A PEM-encoded server certificate.
NMA_KEY: A PEM-encoded private key.

Certificate paths

Note

In general, you should use absolute paths for the _PATH environment variables. Relative paths must be relative to the current working directory of the process.

NMA_ROOTCA_PATH: The path to a file containing either a PEM-encoded root CA certificate or concatenated CA certificates.
NMA_CERT_PATH: The path to a PEM-encoded server certificate.
NMA_KEY_PATH: The path to a PEM-encoded private key.

Configuration precedence

The NMA attempts to use the specified certificates in the following order. If all parameters at a given level are unset, the NMA falls through and attempts to use the parameters, if any, at the next level. However, if the parameters at a given level are only partially set or invalid, the NMA does not fall through and instead produces an error:

Environment specifying a literal certificate (NMA_ROOTCA, NMA_CERT, NMA_KEY).
Environment variables specifying the path to a certificate (NMA_ROOTCA_PATH, NMA_CERT_PATH, NMA_KEY_PATH).
/opt/vertica/config/https_certs/tls_path_cache.yaml, which caches the values of the certificate path environment variables. In general, you should not edit this file, but you can delete it to return to Vertica defaults.
The default certificates at the default path: /opt/vertica/config/https_certs.