Preparing server certificates

All nodes requires relevant SSL certificates. Steps to generate SSL certificates for client-to-node encryptions or node-to-node encryption.

Follow these steps to generate SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.

When using SSL client-to-node encryption, the common name (CN) in the certificate must be the hostname or IP address of the node that issues the command.

All nodes must have all the relevant SSL certificates. A keystore contains private keys. The truststore contains SSL certificates for each node and does not require signing by a trusted and recognized public certification authority.

Procedure

To prepare server certificates:

  1. Generate the private and public key pair for the nodes of the cluster leaving the key password the same as the keystore password:
    $ keytool -genkey -alias dse_node0 -keyalg RSA -keystore .keystore
    For this prompt What is your first and last name?, enter the hostname or the fully qualified domain name (FQDN) of the Cassandra node for which you are generating the keys. The values that you enter for the first and last name are used to set the certificate CN (Common Name) that is used for server authentication by the client.
  2. Repeat the previous step on each node using a different alias for each node.
  3. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.
    $ keytool -export -alias dse_node0 -file dse_node0.cer -keystore .keystore
  4. Add the certificate of each node to the truststore of each node, so the nodes can verify the identity of other nodes.
    A prompt for setting a password for the newly created truststore appears.
    $ keytool -import -v -trustcacerts -alias dse_node0 -file dse_node0.cer -keystore .truststore
    $ keytool -import -v -trustcacerts -alias dse_node1 -file dse_node1.cer -keystore .truststore
    . . .
    $ keytool -import -v -trustcacerts -alias dse_nodeN -file dse_nodeN.cer -keystore .truststore
  5. Make sure .keystore is readable only by the DataStax Enterprise daemon and not by any user of the system.