Creating a root CA certificate
In development and testing environments, you can set up your own root Certificate Authority (CA) to sign DataStax Enterprise (DSE) node certificates for SSL. In this model, generate your own root certificate that is to be used to sign the certificate on every node, generate certificates for individual nodes, sign them, and generate corresponding keystores for every node.
If you want to use a remote keystore provider instead, then see Using a remote keystore provider.
Procedure
-
Create a directory for the root CA signing certificate/key, and then change to that directory:
mkdir -p <rootca_path>
cd <rootca_path>
- rootca_path
-
Directory where the root certificate is created and stored. DataStax recommends securing this directory, ideally on a computer isolated from the network.
-
Create a
<rootca.conf>
configuration file:touch rootca.conf
- rootca.conf
-
Root CA configuration file.
-
Edit the
<rootca.conf>
file and add the following minimal settings:# <rootca.conf> [ req ] distinguished_name = <CA_DN> prompt = no output_password = <rootca_password> default_bits = 2048 [ <CA_DN> ] C = <CC> O = <org_name> OU = <cluster_name> CN = <CA_CN>
- CA_DN
-
Title for the section containing the Distinguished Name (DN) properties for the CA.
- rootca_password
-
Password for the generated file used to sign certificates.
- CC
-
Two letter country code, such as <US> for United States or <JP> for Japan. See Nations Online for a complete list of country codes.
- org_name
-
Name of your organization.
- cluster_name
-
Name of your DataStax Enterprise (DSE) cluster.
- CA_CN
-
Common Name (CN) for the root CA.
-
Use
openssl
to create a root key/certificate pair:openssl req -config rootca.conf \ -new -x509 -nodes \ -keyout rootca.key \ -out rootca.crt \ -days 3650
The
-x509
option outputs a signed certificate used as the root CA. The number of days specified by the-days
option affects the duration for which all signed certificates are valid. Indicating a higher number of days means that the certificates are valid for a longer period. In the previous example, the root CA is valid for3650
days, which is approximately 10 years.Two files are created:
rootca.key
androotca.crt
. -
Verify the root certificate:
openssl x509 -in <rootca.crt> -text -noout
Certificate: Data: Version: 1 (0x0) Serial Number: <serial_number> (0xcd4bc943beeb35ce) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=datastax, OU=pw-j-dse, CN=rootCa Validity Not Before: Jul 23 20:15:06 2019 GMT Not After : Jul 23 20:15:06 2020 GMT Subject: C=US, O=datastax, OU=pw-j-dse, CN=rootCa Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d8:71:e0:51:07:ad:f1:f7:0b:4d:2c:10:4c:24: 19:9f:1f:d4:2a:a1:a6:89:3d:e1:12:81:3b:4d:bd: 2d:da:fb:9e:d5:c5:ba:ed:82:80:28:35:e5:00:86: ... Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 43:8d:98:8c:d7:26:52:41:ad:de:c9:80:8d:4f:d6:6e:21:69: 81:7d:eb:af:93:6e:15:ad:9d:fe:ee:1a:60:d6:aa:92:86:a2: fd:e1:8f:95:b9:ee:db:59:63:fd:cd:05:72:63:d6:6b:14:cf: ...