Setting up SSL certificates
General steps for generating certificate signing requests, signing, and creating a keystore and truststore for development and production environments.
Use SSL certificates for client-to-node encryption and node-to-node encryption. DataStax supports SSL using well-known CA signed certificates for each node or with bring your own (BYO) root Certificate Authority.
These steps walk you through the general process to generate and distribute SSL certificates using OpenSSL and Java keytool. Use an intermediary certificate chain to securely implement SSL in a production environment, see the OpenSSL root CA instructions.
Prerequisites
Perform the following steps on a dedicated CA server which is fully encrypted and permanently isolated from the network. When using BYO CA, always create the root pair for certificate signing in a secure environment. Anybody with access to the root CA files can use it to sign certificates.
Procedure
-
BYO root CA only: create your own root CA for signing node
certificates:
-
Create a single truststore:
keytool -importcert -file '../ca/rootCa.crt' \ -keystore dse-truststore.jks \ -storepass truststorePass \ -noprompt
Tip: Even when using a well-known certificate authority, DataStax recommends creating a truststore with the signing CA certificate (or certificate chain following the instructions from your CA).The truststore contains a single entry. Verify the truststore using the following command:keytool -list \ -keystore dse-truststore.jks \ -storepass truststorePass
-
For each node in the cluster, create a keystore and key pair, and certificate
signing request using FQDN of the node.
-
Sign the certificate signing request of each node:
-
BYO root CA: Using the root CA created in step 1, sign each nodes certificate:
openssl x509 -req -CA '../ca/rootCa.crt' \ -CAkey '../ca/rootCa.key' \ -in node0.csr \ -out node0.crt_signed \ -days 365 \ -CAcreateserial \ -passin pass:myPass
A signed certificate file is created, verify that was properly signed:openssl verify -CAfile '../ca/rootCa.crt' node0.crt_signed
node0.crt_signed: OK
- Send the certificate signing request to a well-known CA for signing.
-
-
For each node in the cluster, import the signed certificates into the
keystores:
-
Move the truststores and keystores to a computer with access to the DSE nodes
and distribute to each node: