All nodes requires relevant SSL certificates. Steps to generate SSL certificates for
client-to-node encryptions or node-to-node encryption.
Follow these steps to generate SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the
certificates for one type of encryption, you do not need to generate them again for
the other: the same certificates are used for both.
When using SSL client-to-node encryption,
the common name (CN) in the certificate must be the hostname or IP
address of the node that issues the command.
All nodes must have all the relevant SSL certificates. A keystore contains private keys. The truststore contains SSL certificates for each
node and does not require signing by a trusted and recognized public certification
authority.
Procedure
To prepare server certificates:
-
Generate the private and public key pair for the nodes of the cluster leaving
the key password the same as the keystore password:
$ keytool -genkey -alias dse_node0 -keyalg RSA -keystore .keystore
For
this prompt
What is your first and last name?
, enter the
hostname or the fully qualified domain name (FQDN) of the Cassandra node for
which you are generating the keys. The values that you enter for the first and
last name are used to set the certificate CN (Common Name) that is used for
server authentication by the client.
-
Repeat the previous step on each node using a different alias for each
node.
-
Export the public part of the certificate to a separate file and copy these
certificates to all other nodes.
$ keytool -export -alias dse_node0 -file dse_node0.cer -keystore .keystore
-
Add the certificate of each node to the truststore of each node, so the nodes
can verify the identity of other nodes.
A prompt for setting a password for the newly created truststore
appears.
$ keytool -import -v -trustcacerts -alias dse_node0 -file dse_node0.cer -keystore .truststore
$ keytool -import -v -trustcacerts -alias dse_node1 -file dse_node1.cer -keystore .truststore
. . .
$ keytool -import -v -trustcacerts -alias dse_nodeN -file dse_nodeN.cer -keystore .truststore
-
Make sure .keystore is readable only by the DataStax
Enterprise daemon and not by any user of the system.