Preparing server certificates
Steps to generate SSL certificates for client-to-node encryption or node-to-node encryption.
To use SSL encryption for client-to-node encryption or node-to-node encryption, SSL certificates must be generated using keytool. If you generate the certificates for one type of encryption, you do not need to generate them again for the other; the same certificates are used for both. All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node. The certificates in the truststore don't require signing by a trusted and recognized public certification authority.
Procedure
-
Generate a private and public key pair on each node of the cluster. Use an
alias that identifies the node. Prompts for the keystore password, dname (first
and last name, organizational unit, organization, city, state, country), and key
password. The dname should be generated with the CN value as the IP address or
FQDN for the node.
keytool -genkey -keyalg RSA -alias node0 -keystore keystore.node0
-
The generation command can also include all prompted-for information in the
command line. This example uses an alias of
node0
, a keystore name ofkeystore.node0
, uses the same password ofcassandra
for both the keystore and the key, and a dname that identifies the IP address of node0 as172.31.10.22
.keytool -genkey -keyalg RSA -alias node0 -validity 36500 -keystore keystore.node0 -storepass cassandra -keypass cassandra -dname "CN=172.31.10.22, OU=None, O=None, L=None, C=None"
Note: In this example, the value for--validity
gives this key pair a validity period of 100 years. The defaultvalidity
value for a key pair is 90 days. -
Export the public part of the certificate to a separate file.
keytool -export -alias cassandra -file node0.cer -keystore .keystore
-
Add the
node0.cer
certificate to the node0 truststore of the node using thekeytool -import
command.keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore truststore.node0
-
cqlsh
does not work with the certificate in the format generated.openssl
is used to generate a PEM file of the certificate with no keys,node0.cer.pem
, and a PEM file of the key with no certificate,node0.key.pem
. First, the keystore is imported in PKCS12 format to a destination keystore,node0.p12
, in the example. This is followed by the two commands that convert create the two PEM files.keytool -importkeystore -srckeystore keystore.node0 -destkeystore node0.p12 -deststoretype PKCS12 -srcstorepass cassandra -deststorepass cassandra openssl pkcs12 -in node0.p12 -nokeys -out node0.cer.pem -passin pass:cassandra openssl pkcs12 -in node0.p12 -nodes -nocerts -out node0.key.pem -passin pass:cassandra
-
For client-to-remote-node encryption or node-to-node encryption, use a copying
tool such as
scp
to copy thenode0.cer
file to each node. Import the file into the truststore after copying to each node. The example imports the certificate for node0 into the truststore for node1.keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore truststore.node1
- Make sure keystore file is readable only to the Cassandra daemon and not by any user of the system.
-
Check that the certificates exist in the keystore and truststore files using
keytool -list
. The example shows checking for the node1 certificate in the keystore file and for the node0 and node1 certificates in the truststore file.keytool -list -keystore keystore.node1 keytool -list -keystore truststore.node1