Creating a truststore for all nodes

Use the same truststore that contains the certificate authority (CA) certificate.

Create a truststore that is used on all nodes to ensure that all nodes recognize the CA. Even when using a well-known certificate authority, DataStax recommends creating a truststore with the signing CA certificate (or certificate chain following the instructions from your CA). Most well-known CA certificates are already available through the DSE Java implementation.

This section uses the following variables:
  • Root CA key and signing certificate
    • rootca.key - Key file for the root certificate
    • rootca.crt - Certificate used to sign (authorize) DSE node SSL certificates
    Important: Anybody with access to the key and signing certificate can authorize hosts as the root certificate authority. Always secure these files.
  • Truststore variables:
    • dse-truststore_name.jks - Truststore that contains root certificate
    • key_password -
    • trustedCert -

Procedure

  1. Create a single truststore:
    keytool -keystore dse-truststore.jks \
    -importcert -file 'rootca.crt' \
    -keypass key_password \
    -storepass truststore_password \
    -noprompt
    The truststore contains a single entry.
  2. Verify the truststore using the following command:
    keytool -list \
    -keystore dseTruststore_name.jks \
    -storepass truststore_password