Create a root CA and signing certificate

Bring your own (BYO) root CA for signing node certificates.

In development and testing environments you can set up your own root CA to sign DataStax Enterprise node certificates for SSL.

Note: Ensure that the root CA files created in these steps are secured on a fully isolated computer dedicated to CA certificate management.

Procedure

  1. Create a directory for the BYO root CA signing certificate/key and then change to that directory:
    mkdir -p rootca_path &&
    cd rootca_path
    Note: Ensure that the root CA files created in these steps are secured on a fully isolated computer dedicated to CA certificate management.
  2. Create a configuration file (rootca.conf) with the minimal settings:
    # rootca.conf
    [ req ]
    distinguished_name       = CA_DN
    prompt                   = no
    output_password          = rootca_password
    default_bits             = 2048
    
    [ CA_DN ]
    C  = CC
    O  = org_name
    OU = cluster_name
    CN = CA_CN
  3. Create a root pair, rootca.key and rootca.crt.
    openssl req -config rootca.conf \
    -new -x509 -nodes \
    -subj /CN=CA_CN/OU=cluster_name/O=org_name/C=CC/ \
    -keyout rootca.key \
    -out rootca.crt \
    -days 365
    This method is only for development and test environments. Secure this files, anybody with access to the files can sign certificates.
    Tip: BYO CA in a production environments typically use an intermediary certificate chain.
  4. Verify the root certificate:
    openssl x509 -in rootca.crt -text -noout
    Certificate:
        Data:
            Version: 1 (0x0)
            Serial Number: 14793138693831603662 (0xcd4bc943beeb35ce)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=datastax, OU=pw-j-dse, CN=rootCa
            Validity
                Not Before: Jan 23 20:15:06 2017 GMT
                Not After : Jan 23 20:15:06 2018 GMT
            Subject: C=US, O=datastax, OU=pw-j-dse, CN=rootCa
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d8:71:e0:51:07:ad:f1:f7:0b:4d:2c:10:4c:24:
                        19:9f:1f:d4:2a:a1:a6:89:3d:e1:12:81:3b:4d:bd:
                        2d:da:fb:9e:d5:c5:ba:ed:82:80:28:35:e5:00:86:
                        96:2b:67:18:37:c9:80:32:3e:40:0a:25:5d:c2:d5:
                        1c:bf:de:29:7a:fa:d6:32:20:35:39:03:e6:0a:35:
                        96:9d:8e:ca:88:b2:71:24:50:d2:94:1c:80:de:dd:
                        39:35:57:38:b2:09:39:ba:b3:9b:60:a1:5a:c7:f3:
                        04:35:73:f9:b6:05:1e:09:a2:e1:0e:1c:eb:6f:5e:
                        66:71:ec:38:08:99:6e:a3:d5:2a:0f:af:99:f5:19:
                        c0:6d:4d:b0:ae:0f:6e:7b:c9:78:7d:29:37:3c:3d:
                        38:7a:74:da:d1:16:38:5a:2b:f1:ac:a0:39:91:4a:
                        83:6f:1e:92:b5:66:fd:7f:5f:57:77:5f:c5:c6:ca:
                        23:63:95:d5:36:04:c2:c3:94:6f:2d:56:7e:96:4b:
                        e1:f2:ca:cd:4a:d6:9d:50:1a:5d:6e:1b:76:57:b4:
                        cd:a6:1a:6a:bb:82:d3:32:b4:b6:85:34:b1:d3:6c:
                        31:f7:a1:51:2e:1f:48:c7:c9:04:d2:c4:38:d7:84:
                        c8:cb:08:10:04:a8:a6:12:cf:48:54:88:b6:f7:bc:
                        f2:5d
                    Exponent: 65537 (0x10001)
        Signature Algorithm: sha256WithRSAEncryption
             43:8d:98:8c:d7:26:52:41:ad:de:c9:80:8d:4f:d6:6e:21:69:
             81:7d:eb:af:93:6e:15:ad:9d:fe:ee:1a:60:d6:aa:92:86:a2:
             fd:e1:8f:95:b9:ee:db:59:63:fd:cd:05:72:63:d6:6b:14:cf:
             34:8c:15:cd:38:0a:ef:0d:41:de:9d:55:f2:2a:eb:1d:ca:44:
             21:f8:18:41:42:d9:e2:fb:c4:97:80:9c:ac:8b:61:d8:d9:33:
             38:9d:98:79:39:04:06:a8:b0:8e:e2:0e:49:5b:13:95:0b:42:
             2f:64:8c:9d:4a:6e:84:ca:40:26:7e:c8:a2:f3:e0:09:fc:9c:
             e8:a7:8a:6d:d2:cd:37:1f:0a:b8:61:c8:c3:f6:17:83:0f:24:
             0e:06:09:bc:73:09:32:70:f0:2f:9f:b1:7e:b8:ff:36:5c:3c:
             a9:28:69:58:fd:6b:55:2c:1f:8e:28:9c:8d:c9:37:66:9d:28:
             d7:4c:e5:fe:67:45:52:41:68:36:88:26:b1:95:f5:27:43:b3:
             1e:01:23:85:64:14:86:ff:b8:93:9e:06:78:ad:8b:2f:27:d8:
             35:06:49:37:d4:9f:d6:6f:a8:78:1f:b5:cf:96:2b:d7:da:02:
             2c:94:6f:1d:66:5c:e8:a6:a8:c9:e6:65:6a:6a:99:4a:61:a9:
             fe:7d:3e:c8