Generate SSL certificates for client-to-node encryptions or node-to-node
encryption.
This topic provides information about generating SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the
certificates for one type of encryption, you do not need to generate them again for
the other: the same certificates are used for both.
All nodes must have all the relevant SSL certificates on all nodes. A keystore
contains private keys. The truststore contains SSL certificates for each node and
doesn't require signing by a trusted and recognized public certification
authority.
Procedure
To prepare server certificates:
-
Generate the private and public key pair for the nodes of the cluster leaving
the key password the same as the keystore password:
keytool -genkey -alias dse_node0 -keyalg RSA -keystore .keystore
-
Repeat the previous step on each node using a different alias for each
one.
-
Export the public part of the certificate to a separate file and copy these
certificates to all other nodes.
keytool -export -alias dse -file dse_node0.cer -keystore .keystore
-
Add the certificate of each node to the truststore of each node, so nodes can
verify the identity of other nodes.
A prompt for setting a password for the newly created truststore
appears.
keytool -import -v -trustcacerts -alias dse_node0 -file dse_node0.cer -keystore .truststore
keytool -import -v -trustcacerts -alias dse_node1 -file dse_node1.cer -keystore .truststore
. . .
keytool -import -v -trustcacerts -alias dse_nodeN -file dse_nodeN.cer -keystore .truststore
-
Make sure .keystore is readable only by the DSE daemon and
not by any user of the system.