|The Cassandra 1.2 documentation is transitioning to a new format! Please use the new Cassandra 1.2 documentation instead.||Back to Table of Contents All Documents List|
This topic provides information about generating SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.
All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node and doesn't require signing by a trusted and recognized public certification authority.
To prepare server certificates:
Generate the private and public key pair for the nodes of the cluster.
A prompt for the new keystore and key password appears.
Leave key password the same as the keystore password.
Repeat steps 1 and 2 on each node using a different alias for each one.
keytool -genkey -alias <cassandra_node0> -keystore .keystore
Export the public part of the certificate to a separate file and copy these certificates to all other nodes.
keytool -export -alias cassandra -file cassandranode0.cer -keystore .keystore
Add the certificate of each node to the truststore of each node, so nodes can verify the identity of other nodes.
A prompt for setting a password for the newly created truststore appears.
keytool -import -v -trustcacerts -alias <cassandra_node0> -file <cassandra_node0>.cer -keystore .truststore keytool -import -v -trustcacerts -alias <cassandra_node1> -file <cassandra_node1>.cer -keystore .truststore . . .
Distribute the .keystore and .truststore files to all Cassandra nodes.
Make sure .keystore is readable only to the Cassandra daemon and not by any user of the system.
When client certificate authentication is enabled (require_client_auth=true), generate the certificate as described above. Then import the user's certificate into every node's truststore using keytool:
keytool -import -v -trustcacerts -alias <username> -file <certificate file> -keystore .truststore