Creating a certificate signing request

For each node in the cluster, create a keystore and key pair, and certificate signing request using FQDN of the node.

For each node in the cluster, create a keystore and key pair, and certificate signing request using FQDN of the node.

Note: These steps are required even when using a third-party CA or when adding a node to an existing DSE environment with SSL enabled.

Procedure

  1. Create a directory to store the keystores and change to the directory:
    mkdir -p dse/keystores
    cd dse/keystores
  2. For each node, generate a keystore with key pair:
    keytool -genkeypair -keyalg RSA \
    -alias node_name \
    -keystore keystore_name.jks \
    -storepass myKeyPass \
    -keypass myKeyPass \
    -validity 365 \
    -keysize 2048 \
    -dname "CN=host_name, OU=cluster_name, O=org_name, C=US"
    where the host_name is the FQDN (Fully Qualified Domain Name).
    Important:
    Use a DNS resolvable FQDN (Full Qualified Domain Name) for each node, to ensure the information you are using is correct run the following commands on each node:
    nslookup $(hostname --fqdn) && hostname --fqdn && hostname -i
    Server:		10.200.1.10
    Address:	10.200.1.10#53
    
    Name:	node.example.com
    Address: 10.200.182.183
    
    node.example.com
    10.200.182.183

    The Common Name (CN) that is used to generate the SSL certificate must match the DNS resolvable host name. Mismatches between the CN and node hostname cause an exception and the connection is refused.

  3. Verify each SSL keystore and key pair:
    keytool -list -keystore keystore_name.jks -storepass myKeyPass
    Results for keystore with single entry with alias node1.
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    node1, Jan 23, 2017, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 12:B7:45:AA:AD:F0:22:23:3F:13:FC:2C:3D:A4:4F:84:16:96:58:66
  4. Generate a signing request from each keystore:
    keytool -keystore keystore_name.jks \
    -alias node_name \
    -certreq -file signing_request.csr \
    -keypass myKeyPass \
    -storepass myKeyPass \
    -dname "CN=host_name, OU=cluster_name, O=org_name, C=US"
    
    The certificate signing request file (signing_request.csr) is created. Repeat for each node, ensuring that the dname information matches the node information.