Reference: SSL instruction variables

Variables used throughout the SSL instructions.

The following variables are used throughout this section to demonstrate how to create local keystore files when configuring SSL on a two node, single datacenter cluster.
Important: Anyone with access to the CA key and signing certificate can authorize hosts as the root certificate authority. Always secure these files.

Root certificate authority (CA) variables

rootca_path
Directory where root certificate is created and stored. DataStax recommends securing this directory, ideally on a computer isolated from the network.
rootca.conf
Root CA configuration file.

Distinguished Name (DN) properties

CA_DN
Title for the section containing the Distinguished Name (DN) properties for the CA.
rootca_password
Password for the generated file used to sign certificates.
CC
Two letter country code, such as US for United States or JP for Japan. See Nations Online for a complete list of country codes.
org_name
Name of your organization.
cluster_name
Name of your DataStax Enterprise (DSE) cluster.
CA_CN
Common Name (CN) for the root CA.

Key and signing certificate

rootca.key
Key file for the root CA certificate.
rootca.crt
Certificate used to sign (authorize) DSE node SSL certificates.

Truststore and keystore variables

dse-truststore.jks
Truststore that contains the root certificate.
Note: Use the same truststore that contains the root certificate on all nodes.
node-keystore.jks
Keystore for the individual node.
node-key_password
Password used to protect the individual private key.
keystore_password
Password used to protect the private key of the key pair.
truststore_password
Password required to access the keystore.
node_certificate_path
Location where the certificate file for each DSE node is created. Typically, SSL certificates and keys are generated on a secure system that is isolated from the network.
node_name
Fully Qualified Domain Name (FQDN) of the node, such as ip-10-200-182-183.example.com. If using the FQDN as the node_name, you can add the IP address as a subject alternative name (SAN) so that the certificate protects the IP address in addition to the domain name.
node_ip_address
If using the domain name as the node_name for the CA, add san=ip:ip_address to the -ext option. Using the IP address as a subject alternative name (SAN) ensures that the certificate protects the IP address in addition to the domain name. For example:
-ext "san=ip:10.200.100.52"
signing_request.csr
Certificate signing request (CSR) that is passed to the Certificate Authority (CA) to sign the certificate. The CSR typically includes the public key, plus associated metadata such as the Common Name (CN), Organization (O), Organization Unit (OU), and Country (C).
signing_request.crt_signed
The signed certificate file to create, using the certificate signing request (CSR) (signing_request.csr) as the input file.
san_config_file.conf
If using the domain name as the node_name and the node IP address as a subject alternative name (SAN), create a temporary configuration file and pass it in using the -extfile option. In the configuration file, use the subjectAltName parameter to specify the DNS and IP. For example:
subjectAltName=DNS:node_name,IP:node_ip_address
You can specify multiple SANs in the same configuration file:
subjectAltName=DNS:domain1,IP:10.200.100.52
subjectAltName=DNS:domain1,IP:10.200.101.63
subjectAltName=DNS:domain1,IP:10.200.111.74
subjectAltName=DNS:domain1,IP:10.200.121.85