Configure SSL for HCD

Configure SSL for Hyper-Converged Database (HCD) by implementing Client Certificate Authentication. Following this approach, each node verifies the service or client making a request against a local truststore to validate that the certificate was issued by a known Certificate Authority (CA).

Create SSL certificates, keystores, and truststores

You can implement SSL using CA signed certificates signed by well-known CAs, or by creating your own root CA. DataStax recommends using certificates signed by a CA to reduce SSL certificate management tasks. However, you can use self-signed certificates with HCD, which supports SSL certificates in local and external keystores.

Creating your own CA in a production environments typically involves using an intermediary certificate chain, where the root CA signs one or more intermediate certificates with its private key. These intermediary certificates chain together to link back to the root CA, which owns one or more trusted roots.

Where to configure SSL

HCD supports SSL encryption between nodes (node-to-node communication) and between clients and nodes (client-to-node communication). You can use SSL to encrypt in-flight data for the following HCD services and clients.

HCD services

Use SSL to encrypt data in the following node-to-node connections:

  • HCD Core

  • HCD Search with Apache Solr™

  • HCD Analytics with Apache Spark™

  • HCD Graph

HCD clients

Use SSL to secure connections from a client to the coordinator node to establish client-to-node connections:

  • HCD drivers

  • CQL shell (cqlsh)

  • DataStax Studio

  • DataStax Bulk Loader

  • DataStax Apache Kafka Connector

  • HCD tools

Configure SSL for HCD

Complete the following following procedures to configure SSL for HCD:

  1. Create SSL certificates, keystores, and truststores.

  2. Configure SSL for HCD services (node-to-node communication).

  3. Configure SSL for HCD clients (client-to-node communication).

After creating the necessary SSL certificates and configuring SSL for HCD services, use cqlsh to connect to your SSL-enabled cluster.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com