Preparing server certificates for SSL encryption

All nodes require relevant SSL certificates. Steps to generate SSL certificates for client-to-node encryptions or node-to-node encryption.

Tip: OpsCenter Lifecycle Manager can configure DataStax Enterprise clusters to use node-to-node encryption and automates the process of preparing server certificates.
Follow these steps to generate SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the certificates for one type of encryption, you do not need to generate them again: the same certificates are used for both types of encryption.

All nodes must have all the relevant SSL certificates. A keystore contains private keys. The truststore contains SSL certificates for each node and does not require signing by a trusted and recognized public certification authority.


To prepare server certificates:

  1. When using SSL client-to-node encryption, the common name (CN) in the certificate must be the hostname or IP address of the node that issues the command. Ensure that the CN that is used to generate the SSL certificate matches the DNS resolvable host name.
    Mismatches between the CN and node hostname cause an exception and the connection is refused.
  2. Generate the private and public key pair for the nodes of the cluster leaving the key password the same as the keystore password:
    keytool -genkey -alias dse_node0 -keyalg RSA -keystore .keystore
    For this prompt What is your first and last name?, enter the hostname or the fully qualified domain name (FQDN) of the Cassandra node for which you are generating the keys. The values that you enter for the first and last name are used to set the certificate CN (Common Name) that is used for server authentication by the client.
  3. Repeat the previous step on each node using a different alias for each node.
  4. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.
    keytool -export -alias dse_node0 -file dse_node0.cer -keystore .keystore
  5. Add the certificate of each node to the truststore of each node, so the nodes can verify the identity of other nodes.
    A prompt for setting a password for the newly created truststore appears.
    keytool -import -v -trustcacerts -alias dse_node0 -file dse_node0.cer -keystore .truststore
    $ keytool -import -v -trustcacerts -alias dse_node1 -file dse_node1.cer -keystore .truststore
    . . .
    $ keytool -import -v -trustcacerts -alias dse_nodeN -file dse_nodeN.cer -keystore .truststore
  6. Make sure .keystore is readable only by the DataStax Enterprise daemon and not by any user of the system.