Reference: SSL instruction variables

The following variables are used throughout this section to demonstrate how to create local keystore files when configuring SSL on a two node, single datacenter cluster.

Anyone with access to the CA key and signing certificate can authorize hosts as the root certificate authority. Always secure these files.

Root certificate authority (CA) variables

rootca_path: Directory where the root certificate is created and stored. DataStax recommends securing this directory, ideally on a computer isolated from the network.

rootca.conf: Root CA configuration file.

Distinguished Name (DN) properties

CA_DN: Title for the section containing the Distinguished Name (DN) properties for the CA.
rootca_password: Password for the generated file used to sign certificates.
CC: Two letter country code, such as <US> for United States or <JP> for Japan. See Nations Online for a complete list of country codes.
org_name: Name of your organization.
cluster_name: Name of your DataStax Enterprise (DSE) cluster.
CA_CN: Common Name (CN) for the root CA.

Key and signing certificate

rootca.key: Key file for the root CA certificate.
rootca.crt: Certificate used to sign (authorize) DSE node SSL certificates.

Truststore and keystore variables

dse-truststore.jks

Truststore that contains the root certificate.

Use the same truststore that contains the root certificate on all nodes.

node-keystore.jks

Keystore for the individual node.

Default: none

node-key_password

Password used to protect the individual private key.

Default: none

keystore_password

Password used to protect the private key of the key pair.

Default: none

truststore_password

Password required to access the keystore.

Default: none

node_certificate_path

Location where the certificate file for each DSE node is created. Typically, SSL certificates and keys are generated on a secure system that is isolated from the network.

node_name

Fully Qualified Domain Name (FQDN) of the node, such as ip-10-200-182-183.example.com. If using the FQDN as the node_name, you can add the IP address as a subject alternative name (SAN) so that the certificate protects the IP address in addition to the domain name.

node_ip_address

If using the domain name as the node_name for the CA, add san=ip:ip\_address to the -ext option. Using the IP address as a subject alternative name (SAN) ensures that the certificate protects the IP address in addition to the domain name. For example:

-ext "san=ip:10.200.100.52"

signing_request.csr

Certificate signing request (CSR) that is passed to the Certificate Authority (CA) to sign the certificate. The CSR typically includes the public key, plus associated metadata such as the Common Name (CN), Organization (O), Organization Unit (OU), and Country ©.

signing_request.crt_signed

The signed certificate file to create, using the certificate signing request (CSR) (signing_request.csr) as the input file.

san_config_file.conf

If using the domain name as the node_name and the node IP address as a subject alternative name (SAN), create a temporary configuration file and pass it in using the -extfile option. In the configuration file, use the subjectAltName parameter to specify the DNS and IP.

For example:

subjectAltName=DNS:node\_name,IP:node\_ip\_address

You can specify multiple SANs in the same configuration file:

subjectAltName=DNS:domain1,IP:10.200.100.52
subjectAltName=DNS:domain1,IP:10.200.101.63
subjectAltName=DNS:domain1,IP:10.200.111.74
subjectAltName=DNS:domain1,IP:10.200.121.85

Reference: SSL instruction variables

Root certificate authority (CA) variables

Distinguished Name (DN) properties

Key and signing certificate

Truststore and keystore variables

Was this helpful?

Give Feedback