Untitled | DataStax Enterprise

Creating a root CA certificate

In development and testing environments, you can set up your own root Certificate Authority (CA) to sign DataStax Enterprise (DSE) node certificates for SSL. In this model, generate your own root certificate that is to be used to sign the certificate on every node, generate certificates for individual nodes, sign them, and generate corresponding keystores for every node.

If you want to use a remote keystore provider instead, then see Using a remote keystore provider.

Procedure

Create a directory for the root CA signing certificate/key, and then change to that directory:
```
mkdir -p <rootca_path>
```
```
cd <rootca_path>
```
rootca_path

Directory where the root certificate is created and stored. DataStax recommends securing this directory, ideally on a computer isolated from the network.
Create a <rootca.conf> configuration file:
```
touch rootca.conf
```
rootca.conf

Root CA configuration file.
Edit the <rootca.conf> file and add the following minimal settings:
```
# <rootca.conf>
[ req ]
distinguished_name = <CA_DN>
prompt             = no
output_password    = <rootca_password>
default_bits       = 2048

[ <CA_DN> ]
C  = <CC>
O  = <org_name>
OU = <cluster_name>
CN = <CA_CN>
```
CA_DN

Title for the section containing the Distinguished Name (DN) properties for the CA.

rootca_password

Password for the generated file used to sign certificates.

CC

Two letter country code, such as <US> for United States or <JP> for Japan. See Nations Online for a complete list of country codes.

org_name

Name of your organization.

cluster_name

Name of your DataStax Enterprise (DSE) cluster.

CA_CN

Common Name (CN) for the root CA.

Use openssl to create a root key/certificate pair:

openssl req -config rootca.conf \
-new -x509 -nodes \
-keyout rootca.key \
-out rootca.crt \
-days 3650

The -x509 option outputs a signed certificate used as the root CA. The number of days specified by the -days option affects the duration for which all signed certificates are valid. Indicating a higher number of days means that the certificates are valid for a longer period. In the previous example, the root CA is valid for 3650 days, which is approximately 10 years.

Two files are created: rootca.key and rootca.crt.

Verify the root certificate:

openssl x509 -in <rootca.crt> -text -noout

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: <serial_number> (0xcd4bc943beeb35ce)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=datastax, OU=pw-j-dse, CN=rootCa
        Validity
            Not Before: Jul 23 20:15:06 2019 GMT
            Not After : Jul 23 20:15:06 2020 GMT
        Subject: C=US, O=datastax, OU=pw-j-dse, CN=rootCa
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d8:71:e0:51:07:ad:f1:f7:0b:4d:2c:10:4c:24:
                    19:9f:1f:d4:2a:a1:a6:89:3d:e1:12:81:3b:4d:bd:
                    2d:da:fb:9e:d5:c5:ba:ed:82:80:28:35:e5:00:86:
                    ...
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         43:8d:98:8c:d7:26:52:41:ad:de:c9:80:8d:4f:d6:6e:21:69:
         81:7d:eb:af:93:6e:15:ad:9d:fe:ee:1a:60:d6:aa:92:86:a2:
         fd:e1:8f:95:b9:ee:db:59:63:fd:cd:05:72:63:d6:6b:14:cf:
         ...

Creating a root CA certificate

Procedure

Was this helpful?

Give Feedback