Reference: SSL instruction variables

The following variables are used throughout this section to demonstrate how to create local keystore files when configuring SSL on a two node, single datacenter cluster.

Anyone with access to the CA key and signing certificate can authorize hosts as the root certificate authority. Always secure these files.

Root certificate authority (CA) variables

rootca_path

Directory where the root certificate is created and stored. DataStax recommends securing this directory, ideally on a computer isolated from the network.

rootca.conf

Root CA configuration file.

Distinguished Name (DN) properties

CA_DN

Title for the section containing the Distinguished Name (DN) properties for the CA.

rootca_password

Password for the generated file used to sign certificates.

CC

Two letter country code, such as <US> for United States or <JP> for Japan.

org_name

Name of your organization.

cluster_name

Name of your DataStax Enterprise (DSE) cluster.

CA_CN

Common Name (CN) for the root CA.

Key and signing certificate

rootca.key

Key file for the root CA certificate.

rootca.crt

Certificate used to sign (authorize) DSE node SSL certificates.

Truststore and keystore variables

dse-truststore.jks

Truststore that contains the root certificate. Use the same root certificate truststore on all nodes.

node-keystore.jks

Keystore for the individual node.

Default: none

node-key_password

Password used to protect the individual private key.

Default: none

keystore_password

Password used to protect the private key of the key pair.

Default: none

truststore_password

Password required to access the keystore.

Default: none

node_certificate_path

Location where the certificate file for each DSE node is created. Typically, SSL certificates and keys are generated on a secure system that is isolated from the network.

node_name

Fully Qualified Domain Name (FQDN) of the node, such as ip-10-200-182-183.example.com. When using the FQDN as the node_name, you can add the IP address as a subject alternative name (SAN) so that the certificate protects the IP address in addition to the domain name.

node_ip_address

If the domain name is the node_name for the CA, add san=ip:ip_address to the -ext option. Using the IP address as a subject alternative name (SAN) ensures that the certificate protects the IP address in addition to the domain name. For example:

-ext "san=ip:10.200.100.52"
signing_request.csr

Certificate signing request (CSR) that is passed to the Certificate Authority (CA) to sign the certificate. The CSR typically includes the public key plus associated metadata such as the Common Name (CN), Organization (O), Organization Unit (OU), and Country (C).

signing_request.crt_signed

The signed certificate file to create, using the certificate signing request (CSR) (signing_request.csr) as the input file.

san_config_file.conf

If you use the domain name as the <node_name> and the node IP address as a Subject Alternative Name (SAN), then create a temporary configuration file and pass it in using the -extfile option. In the configuration file, use the subjectAltName parameter to specify the DNS and IP. For example:

subjectAltName=DNS:<node_name>,IP:<node_ip_address>

You can specify multiple SANs in the same configuration file:

subjectAltName=DNS:domain1,IP:10.200.100.52
subjectAltName=DNS:domain1,IP:10.200.101.63
subjectAltName=DNS:domain1,IP:10.200.111.74
subjectAltName=DNS:domain1,IP:10.200.121.85

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM