Downloading the generated CA cert

About this task

Download the CA certificate automatically generated by Lifecycle Manager (LCM) after enabling client-to-node encryption. LCM automates the process of Creating local SSL certificate and keystore files using an internal certificate authority. Configure your CQL clients to trust certificates signed by the certificate authority.


The location of the opscenterd.log file depends on the type of installation:

  • Package installations: /var/log/opscenter/opscenterd.log

  • Tarball installations: install_location/log/opscenterd.log


  1. Enable client-to-node encryption in the configuration profile associated with the cluster.

  2. If the cert was not generated, an error message in both the opscenterd.log and the job event details indicate the SSL certificate is not yet valid. Ensure that there is not any clock drift, which can interfere with generating the cert chain properly. Check the clock drift rule in the Best Practice Service to ensure clocks are in sync.


  1. In the Clusters workspace of Lifecycle Manager, select the cluster in the Clusters pane.

  2. In the Cluster Details pane, click the Download Cert link for CA Certificate.

    The browser downloads the certificate file. By default, the DSE client CA certificate file provided by LCM is named cacert and has a PEM format.

  3. Use the CA Certificate to configure CQL clients to communicate over SSL/TLS. The process for configuring each CQL client is unique. Refer to the steps for Connecting to SSL-enabled nodes using cqlsh for an example.

    For example, using CQLSH client, you can (SSL) access DSE nodes with the following command:

    SSL_CERTFILE=cacert cqlsh --ssl <DseNode_Host>

    Clients are able to connect to the DataStax Enterprise cluster using CQL over SSL/TLS.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,