Preparing server certificates

Steps to generate SSL certificates for client-to-node encryption or node-to-node encryption.

To use SSL encryption for client-to-node encryption or node-to-node encryption, SSL certificates must be generated using keytool. If you generate the certificates for one type of encryption, you do not need to generate them again for the other; the same certificates are used for both. All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node. The certificates in the truststore don't require signing by a trusted and recognized public certification authority.

Procedure

  • Generate a private and public key pair on each node of the cluster. Use an alias that identifies the node. Prompts for the keystore password, dname (first and last name, organizational unit, organization, city, state, country), and key password. The dname should be generated with the CN value as the IP address or FQDN for the node.
    keytool -genkey -keyalg RSA -alias node0 -validity 36500 -keystore keystore.node0
    In this example, the -validity 36500 gives this key pair a validity period of 100 years. The default key pair validity is 90 days.
  • The generation command can also include all prompted-for information in the command line. This example uses an alias of node0, a keystore name of keystore.node0, uses the same password of cassandra for both the keystore and the key, and a dname that identifies the IP address of node0 as 172.31.10.22.
    keytool -genkey -keyalg RSA -alias node0 -validity 36500 -keystore keystore.node0 -storepass cassandra -keypass cassandra -dname "CN=172.31.10.22, OU=None, O=None, L=None, C=None"
  • Export the public part of the certificate to a separate file.
    keytool -export -alias cassandra -file node0.cer -keystore truststore.node0
  • Add the node0.cer certificate to the node0 truststore of the node using the keytool -import command.
    keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore truststore.node0
  • cqlsh does not work with the certificate in the format generated. openssl is used to generate a PEM file of the certificate with no keys, node0.cer.pem, and a PEM file of the key with no certificate, node0.key.pem. First, the keystore is imported in PKCS12 format to a destination keystore, node0.p12, in the example. This is followed by the two commands that convert create the two PEM files.
    keytool -importkeystore -srckeystore keystore.node0 -destkeystore node0.p12 -deststoretype PKCS12 -srcstorepass cassandra -deststorepass cassandra
    openssl pkcs12 -in node0.p12 -nokeys -out node0.cer.pem -passin pass:cassandra
    openssl pkcs12 -in node0.p12 -nodes -nocerts -out node0.key.pem -passin pass:cassandra
  • For client-to-remote-node encryption or node-to-node encryption, use a copying tool such as scp to copy the node0.cer file to each node. Import the file into the truststore after copying to each node. The example imports the certificate for node0 into the truststore for node1.
    keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore truststore.node1
  • Make sure keystore file is readable only to the Cassandra daemon and not by any user of the system.
  • Check that the certificates exist in the keystore and truststore files using keytool -list. The example shows checking for the node1 certificate in the keystore file and for the node0 and node1 certificates in the truststore file.
    keytool -list -keystore keystore.node1
    keytool -list -keystore truststore.node1