Importing the Signed Certificate into the Node Keystore

For each node in the cluster, create a keystore and import the signed certificate. The variables that you enter in the following commands must match the information that you entered in Creating a key and certificate for each node.


  1. Import the root certificate (rootca.crt) into each node’s keystore:

    You created the root certificate when Creating a truststore for all nodes.

    keytool -keystore <node-keystore.jks> \
    -alias <rootca_name> \
    -importcert -file '<path/to/rootca.crt>' \
    -keypass <keystore_password> \
    -storepass <truststore_password> \

    Name (alias) used to identify the root certificate when importing into the node’s keystore. For example, in a rootca.conf file, the CN = CA_CN entry shown in Creating a root CA certificate.

    If the signed certificate for the node is imported before the root certificate, an error occurs:

    keytool error: java.lang.Exception: Failed to establish chain from reply
  2. Import the node’s signed certificate (signing_request.crt_signed) into the corresponding keystore on the node:

    keytool -keystore <node-keystore.jks> \
    -alias <node_name> \
    -importcert -file <signing_request.crt_signed> \
    -keypass <node-key_password> \
    -storepass <keystore_password> \

    The alias <node_name> must match the alias name used to generate the signing request. See Creating a key and certificate for each node.

    Confirmation of the installation appears:

    Certificate was added to keystore
  3. Verify your keystore again, which should now contain two entries. One entry is for the node keystore, and the other for the imported root certificate:

    keytool -list \
    -keystore <node-keystore.jks> \
    -storepass <truststore_password>

    Each keystore entry is identified by the name you entered for the -alias:

    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 2 entries
    <node_name>, Aug 8, 2019, trustedCertEntry,
    Certificate fingerprint (SHA1): <SHA1-hash>
    <rootca_name>, Aug 8, 2019, trustedCertEntry,
    Certificate fingerprint (SHA1): <SHA1-hash>
  4. Repeat the previous steps on each node to import the root certificate, and then import the signed certificate into the keystore.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,