Creating a root CA certificate

In development and testing environments, you can set up your own root Certificate Authority (CA) to sign DataStax Enterprise (DSE) node certificates for SSL. In this model, generate your own root certificate that is to be used to sign the certificate on every node, generate certificates for individual nodes, sign them, and generate corresponding keystores for every node.

If you want to use a remote keystore provider instead, then see Using a remote keystore provider.


  1. Create a directory for the root CA signing certificate/key, and then change to that directory:

    mkdir -p <rootca_path>
    cd <rootca_path>

    Directory where the root certificate is created and stored. DataStax recommends securing this directory, ideally on a computer isolated from the network.

  2. Create a <rootca.conf> configuration file:

    touch rootca.conf

    Root CA configuration file.

  3. Edit the <rootca.conf> file and add the following minimal settings:

    # <rootca.conf>
    [ req ]
    distinguished_name = <CA_DN>
    prompt             = no
    output_password    = <rootca_password>
    default_bits       = 2048
    [ <CA_DN> ]
    C  = <CC>
    O  = <org_name>
    OU = <cluster_name>
    CN = <CA_CN>

    Title for the section containing the Distinguished Name (DN) properties for the CA.


    Password for the generated file used to sign certificates.


    Two letter country code, such as <US> for United States or <JP> for Japan. See Nations Online for a complete list of country codes.


    Name of your organization.


    Name of your DataStax Enterprise (DSE) cluster.


    Common Name (CN) for the root CA.

  4. Use openssl to create a root key/certificate pair:

    openssl req -config rootca.conf \
    -new -x509 -nodes \
    -keyout rootca.key \
    -out rootca.crt \
    -days 3650

    The -x509 option outputs a signed certificate used as the root CA. The number of days specified by the -days option affects the duration for which all signed certificates are valid. Indicating a higher number of days means that the certificates are valid for a longer period. In the previous example, the root CA is valid for 3650 days, which is approximately 10 years.

    Two files are created: rootca.key and rootca.crt.

  5. Verify the root certificate:

    openssl x509 -in <rootca.crt> -text -noout
            Version: 1 (0x0)
            Serial Number: <serial_number> (0xcd4bc943beeb35ce)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=datastax, OU=pw-j-dse, CN=rootCa
                Not Before: Jul 23 20:15:06 2019 GMT
                Not After : Jul 23 20:15:06 2020 GMT
            Subject: C=US, O=datastax, OU=pw-j-dse, CN=rootCa
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Exponent: 65537 (0x10001)
        Signature Algorithm: sha256WithRSAEncryption

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,