Connecting to an SSL enabled node

Connect cqlsh to an SSL enabled node by setting up SSL with environment variables or cqlshrc parameters.

To connect CQL shell to an SSL enabled node, provide the SSL environment variables or parameters in cqlshrc file. Use the DataStax Enterprise sample cqlshrc.sample.ssl file as a starting point.


The default location of the cqlshrc.sample.ssl file depends on the type of installation:
Package installations /etc/dse/cassandra/cqlshrc.sample.ssl
Tarball installations installation_location/resources/cassandra/conf/cqlshrc.sample.ssl


Generate and install SSL certificates. See Configuring SSL.


  1. (Optional) To validate the host certificate, generate a PEM key file. By default, validate remote host certificate is enabled.
    1. Using the node keystore created when setting up SSL, create a PFX file.
      For example:
      keytool -importkeystore \
      -srckeystore .keystore \
      -destkeystore user.p12 \
      -deststoretype PKCS12
    2. Convert the file to PEM key.
      openssl pkcs12 -in user.p12 \
      -out user.pem -nodes

      Use the PEM key when specifying the SSL certificate in the cqlshrc file or environment variable.

    Note: To disable validation, use one of the following settings:
    • Environment variable:
      export SSL_VALIDATE='false'
    • cqlshrc parameter - In the [ssl] section set validate to true:
      validate = false
    Tip: The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.
  2. Set the location of SSL certificate file:
    • cqlshrc - In the [ssl] section specify the path to the certificate file
      certfile = path_to_certificate_file
    • environment variable - For SSL_CERTFILE specify the path to the certificate file:
      EXPORT SSL_CERTFILE='path_to_certificate_file'
    • path_to_certificate_file - Path to the SSL certificate file of the DSE database node or the PEM file created in the first step.