When a new node is added to a Couchbase-Server cluster that is version 7.1 or later, the new node may be added with its existing root certificate and corresponding certificate chain, provided that the root certificate is already included in the cluster’s trust store: if the node’s certificate has not been added to the trust store, an error is flagged.
The trust store of a new node is used when initial connection is being established with the cluster that is being joined: then, during the process whereby the new node is added to the cluster, the trust store of the new node is overwritten with the cluster’s trust store.
For example, assume the existence of the following:
A cluster whose trust store contains CA 1, CA 2, and CA 3; and whose node 1 authenticates with Cert 1, which is signed by CA 1.
A separate, individual node, node x, whose trust store contains CA 1, CA 2, and CA 4; and which authenticates with Cert 2, which is signed by CA 2.
After node x has been added to the cluster, the trust store of node x contains only the root certificates for the cluster (which are indeed CA 1, CA 2, and CA 3): it no longer contains CA 4.
Note also that if the node certificate for node x, Cert 2, had been signed by CA 4 (instead of CA 2), the addition of node x would fail; because the cluster does not trust CA 4.