Creating a truststore for all nodes
Create a truststore that is used to ensure that all nodes recognize the certificate authority (CA). Even when using a well-known certificate authority, DataStax recommends creating a truststore with the signing CA certificate or certificate chain (following the instructions from your CA). Most well-known CA certificates are already available through the DataStax Enterprise (DSE) Java implementation.
Procedure
-
Create a single truststore, and add the root certificate to the truststore. For the
<keystore_type>
, enterJKS
:If prompted whether to import the certificate, enter
yes
.keytool -keystore <dse-truststore.jks> \ -storetype <keystore_type> \ -importcert -file '<rootca.crt>' \ -keypass <keystore_password> \ -storepass <truststore_password> \ -alias <rootca_name> \ -noprompt
- dse-truststore.jks
-
Truststore that contains the root certificate.
Use the same truststore that contains the root certificate on all nodes.
- keystore_type
-
Valid types are
JKS
,JCEKS
,PKCS11
, orPKCS12
. For file-based keystores, usePKCS12
.DataStax supports
PKCS11
as akeystore_type
on nodes withcassandra
oradvanced
workloads. Theadvanced
workload support was added for DSE 6.8.2 and later. IfPKCS11
is needed, inserver_encryption_options
orclient_encryption_options
, specify thekeystore_type
asPKCS11
and thekeystore
asNONE
.PKCS11
is not supported as atruststore_type.
Default:
JKS
- rootca.crt
-
Certificate used to sign (authorize) DSE node SSL certificates.
- keystore_password
-
Password used to protect the private key of the key pair.
Default: none
- truststore_password
-
Password required to access the keystore.
Default: none
- rootca_name
-
Name (alias) used to identify the root certificate when importing into the node’s keystore. For example, in a
rootca.conf
file, theCN = CA_CN
entry shown in Creating a root CA certificate.A message displays indicating that the certificate was added. The truststore now contains a single entry.
Certificate was added to keystore
-
Verify the truststore to ensure that it contains the root certficate:
keytool -list \ -keystore <dse-truststore.jks> \ -storepass <truststore_password>
The command output indicates the keystore type, provider, number of entries, creation date, and certification details.
Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry <rootca_name>, Aug 8, 2019, trustedCertEntry, Certificate fingerprint (SHA1): <SHA1-has>h